Linux xz issue

Ron Murray rjmx@rjmx.net
Fri Mar 29 22:43:53 GMT 2024


There is a serious security issue with xz (and liblzma) versions 5.6.0-1 
and 5.6.1-1. I note that cywin currently is suggesting an upgrade to 
5.6.1-1, which is unsafe. I've looked at the cygwin archives and I don't 
see a reference to this: sorry if you're already aware of this issue.

References:
https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
https://access.redhat.com/security/cve/CVE-2024-3094
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
https://sysdig.com/blog/cve-2024-3094-detecting-the-sshd-backdoor-in-xz-utils/

Thanks,

  .....Ron

--
Ron Murray <rjmx@rjmx.net>
PGP Fingerprint: 4D99 70E3 2317 334B 141E 7B63 12F7 E865 B5E2 E761


More information about the Cygwin mailing list