Re: xz upstream backdoor compromise (was: Cygwin: Linux xz issue)

Brian Inglis via Cygwin-apps Sat, 30 Mar 2024 01:09:20 -0700

On 2024-03-29 16:43, Ron Murray via Cygwin wrote:

There is a serious security issue with xz (and liblzma) versions 5.6.0-1 and5.6.1-1. I note that cywin currently is suggesting an upgrade to 5.6.1-1, whichis unsafe. I've looked at the cygwin archives and I don't see a reference tothis: sorry if you're already aware of this issue.
References:
https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
https://access.redhat.com/security/cve/CVE-2024-3094
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
https://sysdig.com/blog/cve-2024-3094-detecting-the-sshd-backdoor-in-xz-utils/


        https://seclists.org/oss-sec/2024/q1/268

--
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                -- Antoine de Saint-Exupéry

Re: xz upstream backdoor compromise (was: Cygwin: Linux xz issue)

Reply via email to