CIA is not happy this got discovered.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059417
Title:
Sync xz-utils 5.6.1-1 (main) from Debian unstable (main)
To manage notifications about this bug go
** Description changed:
+ NOTE: THIS IS AN ATTEMPT AT INCLUDING A BACKDOOR. THIS IS LEFT FOR
+ HISTORICAL PURPOSES ONLY AND MUST NOT BE DONE.
+
+
Please sync xz-utils 5.6.1-1 (main) from Debian unstable (main)
Hello! I am one of the upstream maintainers for XZ Utils. Version 5.6.1
was r
It’s 5.4.5, so “no, but it does not contain the known backdoor”. Both
Debian and Ubuntu are currently analysing what needs to be done.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059417
Title:
Sy
https://thehackernews.com/2024/03/urgent-secret-backdoor-found-in-
xz.html
Is "5.6.1+really5.4.5-1" secure now?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059417
Title:
Sync xz-utils 5.6.1-1 (m
Important context from https://lists.debian.org/debian-security-
announce/2024/msg00057.html :
Andres Freund discovered that the upstream source tarballs for xz-utils,
the XZ-format compression utilities, are compromised and inject
malicious code, at build time, into the resulting liblzma5 l
I'll dive deeper into this. The timing collides with the t64 transition
so that makes me curious. Moreover, Debian reverted to 5.4.5 so the
situation where we're on 5.6.0 doesn't match Debian either.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribe
Given this has been reverted in Debian, it should not be synced into
Ubuntu.
** Changed in: xz-utils (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059417
Tit
It's reverted in Debian
https://tracker.debian.org/news/1515519/accepted-xz-
utils-561really545-1-source-into-unstable/
Though from the changelog I didn't see the reason.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.la
** Description changed:
Please sync xz-utils 5.6.1-1 (main) from Debian unstable (main)
Hello! I am one of the upstream maintainers for XZ Utils. Version 5.6.1
was recently released and uploaded to Debian as a bugfix only release.
Notably, this fixes a bug that causes Valgrind to issue