mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-09 22:16:58 +02:00
Code Issues Packages Projects Releases Wiki Activity
f8bcc8e771
flatcar-scripts/changelog/security/2024-04-02-xz-utils.md
Kai Lueke 29dae1e506 app-arch/xz-utils: Sync with Gentoo (revert to known-good) 
The 5.6 release contained a backdoor for SSH. The 5.6 release wasn't
used in Flatcar and so far it seems that the backdoor wouldn't even be
compiled for Gentoo. However, we so far don't know whether the other
patches are malicious.

Revert to 5.4.2 as last known-good release (like Gentoo did).
Note that the Flatcar main branch had a copy of the 5.6 ebuild but was
not using it. Flatcar Alpha was on 5.4.6-r1, so before the backdoor but
the malicious contributor did other changes of unclear impact part of
this release. Similarly, Beta is on 5.4.5 and Stable is on 5.4.3. These
should get downgraded, too.
2024-04-02 16:03:16 +02:00

2 lines
167 B
Markdown
Raw Blame History

- Downgraded xz-utils to 5.4.2 as precaution even though Flatcar is not affected of the SSH backdoor ([CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094))
Reference in New Issue View Git Blame Copy Permalink