X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 19F193858C42 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1711752295; bh=hiNo8KGkvBpnpqCFoTzGOibx/SGamZuJKZALI5QOycY=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=eM2DpjRzYxgFvoFD9fVn4WP2sgOGxs1aBxq9ef+bps65dI+xQz7KqN2OxRgVy5Lv7 cFKZLdFFwxQPDPQ8toTAWJd4WauD9kYJIazVUlW3LzwZHyu5Kquz87xFlBhW2ezcNj B+mxlLpWSy84t6YMphrYS8DtOry7iSb1ZDQZWmiQ= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D8B593858D33 ARC-Filter: OpenARC Filter v1.0.0 sourceware.org D8B593858D33 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711752272; cv=none; b=HQqF9W5nq4yoIljx5Lk94ixzl9eBbPM2EtVTrYt/yfrPhkeU/tesCxIY9ZMASOGv2KfupmzD6/iCnHHD/KYXX0WQUulyNphVEjGRoL/OuT/sQZH4QDk4/67spGgsDKkXahdnGUtpjndwSgtOHn/MkHTovYE5p2BPXaU+WBSz5qc= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711752272; c=relaxed/simple; bh=dkGejMl6d6lu3tW3EZLFNpRa15RXO1ceWsjGiR2/73Q=; h=DKIM-Signature:DKIM-Signature:From:To:Subject:Date:Message-Id: MIME-Version; b=Vi1ZW4wo1YZ0RKSftv5fBQDQwXPjeQ4Tp0SMZHEL9CO5bSvLt5yn0LXsZ8czNHt/DHW+Mgxpsfe7M3PSiwv34v6SwVDYkq3zyoizfZIAb9hdYGnOT8Fb5jiGzlTdrggeJlVxoQEqwEPSj5RRHj438a+jvIKxNSVA/HXzr2vzaZM= ARC-Authentication-Results: i=1; server2.sourceware.org To: cygwin AT cygwin DOT com Subject: Linux xz issue Date: Fri, 29 Mar 2024 22:43:53 +0000 Message-Id: User-Agent: eM_Client/9.2.2157.0 MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.3 X-Spam-Status: No, score=3.4 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, HTML_MESSAGE, SPAM_BODY, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-CMAE-Envelope: MS4xfJn9wVUTOPne0TFgpBCkDp8V+x49cmAmadTBFjRab8iIlW14iXtxpjJp8+Shc0RFVMc7yRSOfTy2ikmKgwSX4k15VTFM/dxRWw16zEzd2FBZMDn7VmVA VNF15mx2mPYNToKe3jmvk+3q/KtihL4CbLcTpR8Ke2mC8JWsk2P/G+miaPYQDkoDwaosCmVWmmU8Qi1lUX3WfwobHimKsKRM4YI= X-Spam-Level: *** X-Content-Filtered-By: Mailman/MimeDel 2.1.30 X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.30 List-Id: General Cygwin discussions and problem reports List-Archive: List-Post: List-Help: List-Subscribe: , From: Ron Murray via Cygwin Reply-To: Ron Murray Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "Cygwin" There is a serious security issue with xz (and liblzma) versions 5.6.0-1 and 5.6.1-1. I note that cywin currently is suggesting an upgrade to 5.6.1-1, which is unsafe. I've looked at the cygwin archives and I don't see a reference to this: sorry if you're already aware of this issue. References: https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 https://access.redhat.com/security/cve/CVE-2024-3094 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094 https://sysdig.com/blog/cve-2024-3094-detecting-the-sshd-backdoor-in-xz-utils/ Thanks, .....Ron -- Ron Murray PGP Fingerprint: 4D99 70E3 2317 334B 141E 7B63 12F7 E865 B5E2 E761 -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple