Hi > Am 02.04.2024 um 14:37 schrieb Jeffrey Walton via users > <[email protected]>:
>>>> what about CVE-2024-3094 and current version CSWxz? >>>> >>>> https://nvd.nist.gov/vuln/detail/CVE-2024-3094 >>> >>> Ihsan already prepared an updated package which should show up soon. >> >> Yes, I am on it. I am preparing a rollback to the last 5.4 release. Should >> be out either today or tomorrow. > > Jia Tan started contributing to xz circa the development version 5.3. > To get untainted code, you have to go back to version 5.2. But rolling > back to version 5.2 means ABI and symbol breaks. If you don't want to > go back to 5.2, then it means you have to audit over 700 commits in > xz. Also see <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5>. > > Jia Tan started influencing code before the persona (he/she/it?) had > check-in privileges. Also see > <https://www.mail-archive.com/[email protected]/msg00571.html>. Thanks for the hint. In this case, I am going back to 5.2.9. 5.2.9 does contain security issues, but at least it should not have any code from Jian Tian. -Ihsan
