On 3/31/24 07:59, Michael wrote:
On Sunday, 31 March 2024 13:33:20 BST Rich Freeman wrote:
(moving this to gentoo-user as this is really getting off-topic for -dev)
Thanks for bringing this to our attention Rich.
Is downgrading to app-arch/xz-utils-5.4.2 all that is needed for now, or are
we meant to rebuilding any other/all packages, especially if we rebuilt our
@world only a week ago as part of the move to profile 23.0?
I just ran `glsa-check -l affected` and it came up blank for me.
I ran `emerge --sync` and checked again and it indeed says my machine is
affected.
I then ran `emerge -auDN world` and it automatically downgraded.
So, all we need to do sync and update world. It will downgrade xz-utils
automatically.
If you want to make sure, run `glsa-check -l affected` after the emerge
world, if it comes up blank you are not affected. Or run `glsa-check -l
202403-02` and it will tell you if you are affected:
$ glsa-check -l 202403-04
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.
202403-04 [U] XZ utils: Backdoor in release tarballs ( app-arch/xz-utils )
Dan