* Re: xz upstream backdoor compromise (was: Cygwin: Linux xz issue) [not found] <em9acc6e7a-921f-4922-a5dd-77cc63657601@fece094b.com> @ 2024-03-30 8:08 ` Brian Inglis 0 siblings, 0 replies; only message in thread From: Brian Inglis @ 2024-03-30 8:08 UTC (permalink / raw) To: Cygwin Apps On 2024-03-29 16:43, Ron Murray via Cygwin wrote: > There is a serious security issue with xz (and liblzma) versions 5.6.0-1 and > 5.6.1-1. I note that cywin currently is suggesting an upgrade to 5.6.1-1, which > is unsafe. I've looked at the cygwin archives and I don't see a reference to > this: sorry if you're already aware of this issue. > > References: > https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 > https://access.redhat.com/security/cve/CVE-2024-3094 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094 > https://sysdig.com/blog/cve-2024-3094-detecting-the-sshd-backdoor-in-xz-utils/ https://seclists.org/oss-sec/2024/q1/268 -- Take care. Thanks, Brian Inglis Calgary, Alberta, Canada La perfection est atteinte Perfection is achieved non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut -- Antoine de Saint-Exupéry ^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2024-03-30 8:08 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <em9acc6e7a-921f-4922-a5dd-77cc63657601@fece094b.com>
2024-03-30 8:08 ` xz upstream backdoor compromise (was: Cygwin: Linux xz issue) Brian Inglis
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).