From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=hpKd=LD=klomp.org=mark@sourceware.org>
Received: from gnu.wildebeest.org (gnu.wildebeest.org [45.83.234.184])
	by sourceware.org (Postfix) with ESMTPS id 1DC3F3858D20;
	Fri, 29 Mar 2024 20:39:10 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 1DC3F3858D20
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=klomp.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=klomp.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 1DC3F3858D20
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=45.83.234.184
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711744752; cv=none;
	b=njEUFguNqGChhQPpBGTRe8cWlWPYXoAYHBJJbYxApa1qHKrcztTaAf/5sMpPgQwrweth4ZKY9kEznWW8nR3LAk2gobpeRg8VSSCGnEq+0xWRo01HKfQDxDlxI7+7OPDtyumCrAB1if3/zMGoBjEIS9KuykfC2onjUxIeq17zIY0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1711744752; c=relaxed/simple;
	bh=h7o5Jg5WYrKMacWar6kCwVEF2EewDX2I+lbCvfBKR4k=;
	h=Date:From:To:Subject:Message-ID:MIME-Version; b=JuC1kssGMFkrE5F0UF8h/wVAZaY/Udt0Y2I2mKDsuDp/02zWflfoEknzyHDllMEoxr1vvsRs/HVeZGfGphZRFyaK+GErN1M6IP39DVBV7KTFZFGKRieIOgbjPSEe2VM/gKBc+/KC9HxiD/erwXHfnge3tmbOmlrQp0l+YI3SQEA=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: by gnu.wildebeest.org (Postfix, from userid 1000)
	id 34118300046F; Fri, 29 Mar 2024 21:39:09 +0100 (CET)
Date: Fri, 29 Mar 2024 21:39:09 +0100
From: Mark Wielaard <mark@klomp.org>
To: overseers@sourceware.org
Cc: gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org,
	libc-alpha@sourceware.org
Subject: Security warning about xz library compromise
Message-ID: <20240329203909.GS9427@gnu.wildebeest.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,JMQ_SPF_NEUTRAL,KAM_DMARC_STATUS,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

Sourceware hosts are not affected by the latest xz backdoor.

But we have reset the https://builder.sourceware.org containers of
debian-testing, fedora-rawhide and opensuse-tumbleweed. These
containers however didn't have ssh installed, were running on isolated
VMs on separate machines from our main hosts, snapshots and backup
servers.

If you are running one of these distros on your development machines
then please consult your distro security announcements:

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
https://lists.debian.org/debian-security-announce/2024/msg00057.html
https://archlinux.org/news/the-xz-package-has-been-backdoored/
https://news.opensuse.org/2024/03/29/xz-backdoor/