On Sat, 30 Mar 2024 at 17:18, Richard Purdie <[email protected]> wrote: > > On Sat, 2024-03-30 at 14:06 +0100, Martin Jansa wrote: > > From what is publicly known it injected malicious code (through m4 > > macro using payload hidden in obfuscated compressed test file) into > > built liblzma.so.5 which then hijacks RSA_public_decrypt call e.g. in > > sshd (when sshd is built with patch adding systemd notifications > > which brings liblzma dependency to sshd e.g. on debian and ubuntu > > based systems). > > > > The build systems which just built this xz version shouldn't be > > affected (as it won't be using the liblzma.so from the OE build on > > the host). > > > > This publicly known part should be OK for OE, but it's right to be > > worried about the other things which aren't known (not only from > > these guys or from xz project). > > I concur. > > It is worrying but I've kind of been expecting something like this for > a while unfortunately. > > We need to watch what is going on and act accordingly if/as anything > else becomes known.
https://nvd.nist.gov/vuln/detail/CVE-2024-3094 Distros have downgraded to older releases, still trying to figure out which version to use. > Cheers, > > Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197681): https://lists.openembedded.org/g/openembedded-core/message/197681 Mute This Topic: https://lists.openembedded.org/mt/105226831/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
