Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1
- In reply to: Kyle Evans : "Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 06 Apr 2024 07:23:49 UTC
Am Thu, 4 Apr 2024 01:14:52 -0500 Kyle Evans <kevans@FreeBSD.org> schrieb: > On 4/4/24 00:49, FreeBSD User wrote: > > Hello, > > > > I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1: > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094 > > > > FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow > > me to judge wether the described exploit mechanism also works on FreeBSD. > > RedHat already sent out a warning, the workaround is to move back towards an older variant. > > > > I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in > > private), so I would like to welcome any comment on that. > > > > Thanks in advance, > > > > O. Hartmann > > > > > > See so@'s answer from a couple days ago: > > https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html > > TL;DR no > > Thanks, > > Kyle Evans Thank you very much. Kind regards, oh -- O. Hartmann