Re: [OE-core] [PATCH 36/36] xz: upgrade 5.4.6 -> 5.6.1 _WARNING_

On Sat, Mar 30, 2024 at 1:26 PM Richard Purdie wrote: > > On Sat, 2024-03-30 at 13:08 +0100, Marta Rybczynska wrote: > > Absolutely confirm. DO NOT UPDATE > > > > Marta > > > > On Sat, 30 Mar 2024, 02:04 Mark Hatle, > > wrote: > > > I know this request is a week or so old.. > > > > > > But do

Re: [OE-core] [PATCH 36/36] xz: upgrade 5.4.6 -> 5.6.1 _WARNING_

On Mon, Apr 1, 2024 at 9:02 PM Denys Dmytriyenko wrote: > > On Mon, Apr 01, 2024 at 11:42:51AM +0200, Fathi Boudra wrote: > > On Sat, 30 Mar 2024 at 17:18, Richard Purdie > > wrote: > > > > > > On Sat, 2024-03-30 at 14:06 +0100, Martin Jansa wrote: > > > > From what is publicly known it injected

Re: [OE-core] [PATCH 36/36] xz: upgrade 5.4.6 -> 5.6.1 _WARNING_

On Mon, Apr 01, 2024 at 11:42:51AM +0200, Fathi Boudra wrote: > On Sat, 30 Mar 2024 at 17:18, Richard Purdie > wrote: > > > > On Sat, 2024-03-30 at 14:06 +0100, Martin Jansa wrote: > > > From what is publicly known it injected malicious code (through m4 > > > macro using payload hidden in

Re: [OE-core] [PATCH 36/36] xz: upgrade 5.4.6 -> 5.6.1 _WARNING_

On Sat, 30 Mar 2024 at 17:18, Richard Purdie wrote: > > On Sat, 2024-03-30 at 14:06 +0100, Martin Jansa wrote: > > From what is publicly known it injected malicious code (through m4 > > macro using payload hidden in obfuscated compressed test file) into > > built liblzma.so.5 which then hijacks

Re: [OE-core] [PATCH 36/36] xz: upgrade 5.4.6 -> 5.6.1 _WARNING_

On Sat, 2024-03-30 at 14:06 +0100, Martin Jansa wrote: > From what is publicly known it injected malicious code (through m4 > macro using payload hidden in obfuscated compressed test file) into > built liblzma.so.5 which then hijacks RSA_public_decrypt call e.g. in > sshd (when sshd is built with

Re: [OE-core] [PATCH 36/36] xz: upgrade 5.4.6 -> 5.6.1 _WARNING_

>From what is publicly known it injected malicious code (through m4 macro using payload hidden in obfuscated compressed test file) into built liblzma.so.5 which then hijacks RSA_public_decrypt call e.g. in sshd (when sshd is built with patch adding systemd notifications which brings liblzma

Re: [OE-core] [PATCH 36/36] xz: upgrade 5.4.6 -> 5.6.1 _WARNING_

I’m slightly worried. Does this compromise build systems (given that back door was injected into autoconf scripts) or only systems where xz binaries are installed? Ale On Sat 30. Mar 2024 at 13.26, Richard Purdie < richard.pur...@linuxfoundation.org> wrote: > On Sat, 2024-03-30 at 13:08 +0100,

Re: [OE-core] [PATCH 36/36] xz: upgrade 5.4.6 -> 5.6.1 _WARNING_

On Sat, 2024-03-30 at 13:08 +0100, Marta Rybczynska wrote: > Absolutely confirm. DO NOT UPDATE > > Marta > > On Sat, 30 Mar 2024, 02:04 Mark Hatle, > wrote: > > I know this request is a week or so old.. > > > > But do NOT upgrade to 'xz' 5.6.0 or 5.6.1.  It has been > > compromised: > > > >

Re: [OE-core] [PATCH 36/36] xz: upgrade 5.4.6 -> 5.6.1 _WARNING_

Absolutely confirm. DO NOT UPDATE Marta On Sat, 30 Mar 2024, 02:04 Mark Hatle, wrote: > I know this request is a week or so old.. > > But do NOT upgrade to 'xz' 5.6.0 or 5.6.1. It has been compromised: > > https://www.openwall.com/lists/oss-security/2024/03/29/4 > > --Mark > > On 3/14/24 8:40

Re: [OE-core] [PATCH 36/36] xz: upgrade 5.4.6 -> 5.6.1 _WARNING_

I know this request is a week or so old.. But do NOT upgrade to 'xz' 5.6.0 or 5.6.1. It has been compromised: https://www.openwall.com/lists/oss-security/2024/03/29/4 --Mark On 3/14/24 8:40 AM, Richard Purdie wrote: On Wed, 2024-03-13 at 15:08 +0800, wangmy via lists.openembedded.org wrote: