From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=+FYi=LD=rjmx.net=rjmx@sourceware.org>
Received: from resqmta-h2p-567354.sys.comcast.net (resqmta-h2p-567354.sys.comcast.net [IPv6:2001:558:fd02:2446::5])
	by sourceware.org (Postfix) with ESMTPS id D8B593858D33
	for <cygwin@cygwin.com>; Fri, 29 Mar 2024 22:44:29 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D8B593858D33
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=rjmx.net
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=rjmx.net
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org D8B593858D33
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2001:558:fd02:2446::5
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711752272; cv=none;
	b=HQqF9W5nq4yoIljx5Lk94ixzl9eBbPM2EtVTrYt/yfrPhkeU/tesCxIY9ZMASOGv2KfupmzD6/iCnHHD/KYXX0WQUulyNphVEjGRoL/OuT/sQZH4QDk4/67spGgsDKkXahdnGUtpjndwSgtOHn/MkHTovYE5p2BPXaU+WBSz5qc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1711752272; c=relaxed/simple;
	bh=dkGejMl6d6lu3tW3EZLFNpRa15RXO1ceWsjGiR2/73Q=;
	h=DKIM-Signature:DKIM-Signature:From:To:Subject:Date:Message-Id:
	 MIME-Version; b=Vi1ZW4wo1YZ0RKSftv5fBQDQwXPjeQ4Tp0SMZHEL9CO5bSvLt5yn0LXsZ8czNHt/DHW+Mgxpsfe7M3PSiwv34v6SwVDYkq3zyoizfZIAb9hdYGnOT8Fb5jiGzlTdrggeJlVxoQEqwEPSj5RRHj438a+jvIKxNSVA/HXzr2vzaZM=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: from resomta-h2p-554997.sys.comcast.net ([96.102.179.209])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits)
	(Client did not present a certificate)
	by resqmta-h2p-567354.sys.comcast.net with ESMTPS
	id qK96rGruc37tXqKxXrezfu; Fri, 29 Mar 2024 22:44:27 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=comcastmailservice.net; s=20211018a; t=1711752267;
	bh=08Vtw4eTOtHmKYhbsgZ3aqpmgD/42TzF+lJ1bd3oodk=;
	h=Received:Received:Received:From:To:Subject:Date:Message-Id:
	 Reply-To:MIME-Version:Content-Type:Xfinity-Spam-Result;
	b=oeNzZt8f6Fk1BSApOf5tfFnMfcqD18MpuolZhd/R8wcGSeXG08wUIxYpRGMhOkPcg
	 /zfiaq8MmXNd7FKPWVwUnhkkAVUMO5Sct/5//NNG/wnUaEIO5LuD931zw6jX/xWpnx
	 iE42dI9++4jZShg4PZLgdCc2pVc6xhYjMcCUZMBHUySYI8ITNgCSRJbRZGmIfybtwW
	 yQG4cki2JapikwAmEzfiYDNMF5sLZ/PleW8euih9GHWkJV50+43vs8JuvpMvgiXgqM
	 hHJLfEnu+jrkKHsBfs40B7oqUCy1pQjAX5NpBk+lebMd26ux/KOWsTS7G5bA/empSg
	 CPWViuY/+27Vw==
Received: from mail.rjmx.net ([IPv6:2601:195:c581:83ba::7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits)
	(Client did not present a certificate)
	by resomta-h2p-554997.sys.comcast.net with ESMTPSA
	id qKx8rT1l4Az5HqKxArY9qP; Fri, 29 Mar 2024 22:44:05 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rjmx.net;
	s=rjmx20160127; t=1711752241;
	bh=08Vtw4eTOtHmKYhbsgZ3aqpmgD/42TzF+lJ1bd3oodk=;
	h=From:To:Subject:Date:Reply-To:From;
	b=NbjM7YltWUNUXJgumD5tRu7MnHvNqhFvioQK5P0VgQcjeBC5AS8sBRWAgvQPVNnpu
	 vSWWOGRnMFMbuJJzvhCiQ5bWebrXInJ50RL6Xe6DbQonWq4fcpuZigBPWKsQGG0eGy
	 +EbOCoYn+Gw4Hg59+MCcpcRD+vIZnf4xyWLNvMxU=
Received: from [IPv6:2601:195:c581:83ba::13] (akhnaten.rjmx.net [IPv6:2601:195:c581:83ba:0:0:0:13])
	(authenticated bits=0)
	by mail.rjmx.net (8.17.1.9/8.17.1.9/Debian-2) with ESMTPSA id 42TMhwAu4134690
	(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT)
	for <cygwin@cygwin.com>; Fri, 29 Mar 2024 18:43:59 -0400
From: "Ron Murray" <rjmx@rjmx.net>
To: cygwin@cygwin.com
Subject: Linux xz issue
Date: Fri, 29 Mar 2024 22:43:53 +0000
Message-Id: <em9acc6e7a-921f-4922-a5dd-77cc63657601@fece094b.com>
Reply-To: "Ron Murray" <rjmx@rjmx.net>
User-Agent: eM_Client/9.2.2157.0
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="------=_MB16EA589A-7CDC-4749-9952-F3136924824E"
X-Scanned-By: MIMEDefang 3.3
X-Spam-Status: No, score=3.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,SPAM_BODY,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
X-CMAE-Envelope: MS4xfJn9wVUTOPne0TFgpBCkDp8V+x49cmAmadTBFjRab8iIlW14iXtxpjJp8+Shc0RFVMc7yRSOfTy2ikmKgwSX4k15VTFM/dxRWw16zEzd2FBZMDn7VmVA
 VNF15mx2mPYNToKe3jmvk+3q/KtihL4CbLcTpR8Ke2mC8JWsk2P/G+miaPYQDkoDwaosCmVWmmU8Qi1lUX3WfwobHimKsKRM4YI=
X-Spam-Level: ***
List-Id: <cygwin.cygwin.com>

--------=_MB16EA589A-7CDC-4749-9952-F3136924824E
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

There is a serious security issue with xz (and liblzma) versions 5.6.0-1=20
and 5.6.1-1. I note that cywin currently is suggesting an upgrade to=20
5.6.1-1, which is unsafe. I've looked at the cygwin archives and I don't=20
see a reference to this: sorry if you're already aware of this issue.

References:
https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-co=
mpromise-affecting-xz-utils-data-compression-library-cve-2024-3094
https://access.redhat.com/security/cve/CVE-2024-3094
https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2024-3094
https://sysdig.com/blog/cve-2024-3094-detecting-the-sshd-backdoor-in-xz-uti=
ls/

Thanks,

  .....Ron

--
Ron Murray <rjmx@rjmx.net>
PGP Fingerprint: 4D99 70E3 2317 334B 141E 7B63 12F7 E865 B5E2 E761

--------=_MB16EA589A-7CDC-4749-9952-F3136924824E--