X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 19F193858C42
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1711752295;
	bh=hiNo8KGkvBpnpqCFoTzGOibx/SGamZuJKZALI5QOycY=;
	h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post:
	List-Help:List-Subscribe:From:Reply-To:From;
	b=eM2DpjRzYxgFvoFD9fVn4WP2sgOGxs1aBxq9ef+bps65dI+xQz7KqN2OxRgVy5Lv7
	cFKZLdFFwxQPDPQ8toTAWJd4WauD9kYJIazVUlW3LzwZHyu5Kquz87xFlBhW2ezcNj
	B+mxlLpWSy84t6YMphrYS8DtOry7iSb1ZDQZWmiQ=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org D8B593858D33
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org D8B593858D33
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711752272; cv=none;
	b=HQqF9W5nq4yoIljx5Lk94ixzl9eBbPM2EtVTrYt/yfrPhkeU/tesCxIY9ZMASOGv2KfupmzD6/iCnHHD/KYXX0WQUulyNphVEjGRoL/OuT/sQZH4QDk4/67spGgsDKkXahdnGUtpjndwSgtOHn/MkHTovYE5p2BPXaU+WBSz5qc=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1711752272; c=relaxed/simple;
	bh=dkGejMl6d6lu3tW3EZLFNpRa15RXO1ceWsjGiR2/73Q=;
	h=DKIM-Signature:DKIM-Signature:From:To:Subject:Date:Message-Id:
	MIME-Version;
	b=Vi1ZW4wo1YZ0RKSftv5fBQDQwXPjeQ4Tp0SMZHEL9CO5bSvLt5yn0LXsZ8czNHt/DHW+Mgxpsfe7M3PSiwv34v6SwVDYkq3zyoizfZIAb9hdYGnOT8Fb5jiGzlTdrggeJlVxoQEqwEPSj5RRHj438a+jvIKxNSVA/HXzr2vzaZM=
ARC-Authentication-Results:	i=1; server2.sourceware.org
To:	cygwin AT cygwin DOT com
Subject:	Linux xz issue
Date:	Fri, 29 Mar 2024 22:43:53 +0000
Message-Id:	<em9acc6e7a-921f-4922-a5dd-77cc63657601@fece094b.com>
User-Agent:	eM_Client/9.2.2157.0
MIME-Version:	1.0
X-Scanned-By:	MIMEDefang 3.3
X-Spam-Status:	No, score=3.4 required=5.0 tests=BAYES_00, DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, HTML_MESSAGE, SPAM_BODY,
	SPF_HELO_NONE, SPF_PASS, TXREP autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version:	SpamAssassin 3.4.6 (2021-04-09) on
	server2.sourceware.org
X-CMAE-Envelope:	MS4xfJn9wVUTOPne0TFgpBCkDp8V+x49cmAmadTBFjRab8iIlW14iXtxpjJp8+Shc0RFVMc7yRSOfTy2ikmKgwSX4k15VTFM/dxRWw16zEzd2FBZMDn7VmVA
	VNF15mx2mPYNToKe3jmvk+3q/KtihL4CbLcTpR8Ke2mC8JWsk2P/G+miaPYQDkoDwaosCmVWmmU8Qi1lUX3WfwobHimKsKRM4YI=
X-Spam-Level:	***
X-Content-Filtered-By:	Mailman/MimeDel 2.1.30
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Ron Murray via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	Ron Murray <rjmx AT rjmx DOT net>
Sender:	"Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>

There is a serious security issue with xz (and liblzma) versions 5.6.0-1 
and 5.6.1-1. I note that cywin currently is suggesting an upgrade to 
5.6.1-1, which is unsafe. I've looked at the cygwin archives and I don't 
see a reference to this: sorry if you're already aware of this issue.

References:
https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
https://access.redhat.com/security/cve/CVE-2024-3094
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
https://sysdig.com/blog/cve-2024-3094-detecting-the-sshd-backdoor-in-xz-utils/

Thanks,

  .....Ron

--
Ron Murray <rjmx AT rjmx DOT net>
PGP Fingerprint: 4D99 70E3 2317 334B 141E 7B63 12F7 E865 B5E2 E761

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -