On Tue, Apr 2, 2024 at 8:23 AM Ihsan Dogan via users <[email protected]> wrote: > > > Am 02.04.2024 um 14:03 schrieb Dagobert Michelsen <[email protected]>: > > > >> what about CVE-2024-3094 and current version CSWxz? > >> > >> https://nvd.nist.gov/vuln/detail/CVE-2024-3094 > > > > Ihsan already prepared an updated package which should show up soon. > > Yes, I am on it. I am preparing a rollback to the last 5.4 release. Should be > out either today or tomorrow.
Jia Tan started contributing to xz circa the development version 5.3. To get untainted code, you have to go back to version 5.2. But rolling back to version 5.2 means ABI and symbol breaks. If you don't want to go back to 5.2, then it means you have to audit over 700 commits in xz. Also see <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5>. Jia Tan started influencing code before the persona (he/she/it?) had check-in privileges. Also see <https://www.mail-archive.com/[email protected]/msg00571.html>. Jeff
