30.03.2024 13:03, Stefan Hajnoczi :
On Fri, 29 Mar 2024 at 14:00, Paolo Bonzini wrote:
For more info, see
https://lwn.net/ml/oss-security/20240329155126.kjjfduxw2yrlx...@awork3.anarazel.de/
but, essentially, xz was backdoored and it seems like upstream was directly
responsible for this.
On Fri, 29 Mar 2024 at 14:00, Paolo Bonzini wrote:
>
> For more info, see
> https://lwn.net/ml/oss-security/20240329155126.kjjfduxw2yrlx...@awork3.anarazel.de/
> but, essentially, xz was backdoored and it seems like upstream was directly
> responsible for this.
>
> Based on this, should we
Also does qemu link to libarchive? The original analysis wasn't a full
reverse engineer of the payload so we don't know if it only affects sshd.
On Sat, 30 Mar 2024, 07:01 Daniel P. Berrangé, wrote:
> On Fri, Mar 29, 2024 at 06:59:30PM +0100, Paolo Bonzini wrote:
> > For more info, see
> >
>
On Fri, Mar 29, 2024 at 06:59:30PM +0100, Paolo Bonzini wrote:
> For more info, see
> https://lwn.net/ml/oss-security/20240329155126.kjjfduxw2yrlx...@awork3.anarazel.de/
> but, essentially, xz was backdoored and it seems like upstream was directly
> responsible for this.
>
> Based on this, should
Um maybe?
>From what I've read so far it doesn't seem the format is compromised but it
certainly seems like a concerted attempt to subvert an upstream. However a
knee-jerk jump to another format might be premature without carefully
considering if other upstreams have been targeted.
I guess zstd
For more info, see
https://lwn.net/ml/oss-security/20240329155126.kjjfduxw2yrlx...@awork3.anarazel.de/
but, essentially, xz was backdoored and it seems like upstream was directly
responsible for this.
Based on this, should we switch our distribution from bz2+xz to bz2+zstd or
bz2+lzip?
Thanks,
