Linux xz issue
Ron Murray
rjmx@rjmx.net
Fri Mar 29 22:43:53 GMT 2024
There is a serious security issue with xz (and liblzma) versions 5.6.0-1
and 5.6.1-1. I note that cywin currently is suggesting an upgrade to
5.6.1-1, which is unsafe. I've looked at the cygwin archives and I don't
see a reference to this: sorry if you're already aware of this issue.
References:
https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
https://access.redhat.com/security/cve/CVE-2024-3094
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
https://sysdig.com/blog/cve-2024-3094-detecting-the-sshd-backdoor-in-xz-utils/
Thanks,
.....Ron
--
Ron Murray <rjmx@rjmx.net>
PGP Fingerprint: 4D99 70E3 2317 334B 141E 7B63 12F7 E865 B5E2 E761
More information about the Cygwin
mailing list