There is a serious security issue with xz (and liblzma) versions 5.6.0-1
and 5.6.1-1. I note that cywin currently is suggesting an upgrade to
5.6.1-1, which is unsafe. I've looked at the cygwin archives and I don't
see a reference to this: sorry if you're already aware of this issue.
References:
https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
https://access.redhat.com/security/cve/CVE-2024-3094
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
https://sysdig.com/blog/cve-2024-3094-detecting-the-sshd-backdoor-in-xz-utils/
Thanks,
.....Ron
--
Ron Murray <r...@rjmx.net>
PGP Fingerprint: 4D99 70E3 2317 334B 141E 7B63 12F7 E865 B5E2 E761
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple