5 files changed, 64 insertions, 17 deletions

diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index 27110502b717..a5ba4a7ce864 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 569335 BLAKE2B 07f6153cc527f8ef0be40a2cc21b4fbdd6901249b5c3c569cd1c78321017cd55d98800cf292cc33ffbd6842d685a59c8343e534c4ede0d598730df983a8c33f4 SHA512 5d341348a510bcd14cd0388e2d6bdaccf622bfa08eed783dcee916769bbf2f8d31fa0fb57d0f3bfcce315df08c0e1c93572bfdc703a005d69ab200628e23c99b
-TIMESTAMP 2024-03-29T18:40:30Z
+MANIFEST Manifest.files.gz 569494 BLAKE2B 475196fd0ff28d6023f45e6c22284bded2028bbe891778e3828fb75c3727438168bcd5ab63fe48683bb5874710c096e12470eee93163ae90c07d1f9d79810710 SHA512 94822c7f83b3b68b28e1885c442c2d9b5794eb5f861b8a0862162601a2c2b03cdc2bb6144d8b4a1d61befedf2ff1952e540c518e34c7f15ff5af14b7dc567fcb
+TIMESTAMP 2024-03-30T00:41:30Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmYHCx5fFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmYHX7pfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klBKZw//T5+Hw30JmSw9gh/vPUEe+EVeRZ+gYzXFwK5gChSRv/bUx0/k1/s4ngXE
-s2912xibOfNDQu1cN+vTm7rXZM6NmU0mRR75jX5KSIUIu8hJ7PM5Grplp5VYOipi
-RzitwZiiiVVUCCaGUQq0TSAqCCc7DrsuXxbsZxiDA4FUTHQ06XYNjcTs8nd6MgWg
-PUw4T/P4IIdDLFHBXQIM5Ytlb1LFV6XETAt/kIUyz6hXHay7i1WVSUbzqC5nFAwR
-zCmpbdyAqsMaoRp+d8I5TLLK6IpL1YfCdd0wuVFdp6QTjf+8DngL+mpzYt1/Zy6Q
-cDC87kZO73CYXiH1R3eCKjfqttuG32eGYDMJ44Fv/7VnWDGSH0w3XiDKTZ3P+N5q
-aVIDhWoV3BsnZu5sCIZ0P3CxeH7f7ltlN3yfFMKRm7llTBBK/mGMLYBz5xA1c50O
-6hD9V2lCDwD7nlRctDdKnj6zzWjtKa0gstMY/I3Rv3beTW5AEMI5NYqzLcnffMGV
-lJnABIiRBAj4FMVSGPOw+G6Ahwk8VWGFHcQ0BOyz0ej4Ufy4ujy0Iz+/P6k4iWE0
-GzszyyOXIUZ1ZnBO4+VMTate6FGHIhfOR9Le5/MHGi85qhhnJhwcufqLYixK2yPv
-4dazP8zWuplyrSKzASk5eTgbyA86QaTcHsq2V2hF/O/qNtiFSpI=
-=ENDy
+klBqyRAAgdxmOYfPuADQpfzZrEc/D1A3gekQy/YRyZ8LrtEWzIEnmKRku5uUaQpZ
+EgGlywDz18bIuA19u3GV9rf2knFwEArSig7iBHs6CIcXMSi26kdpnhCi6NAL6azj
+zvXklXVqJKNw8ArGS30fa1sgvgcmtWI4Rxu4twyyjj5QcU8Ka/sv3Alr1UkIQqLO
+qkkjdlk1dHs0I2LHjfaf6vpGGcqAW0H9BmxQAEfmJf8GaFebBxwrF5dkSrmIFUpD
+uuR4ITYW/z0WQOYHkRQCrfG5QnO6Tgp7nFdk1/N8LdO6JUoRSwdZxmWVEl0k6EGL
+mOh82wFBCkQQnccwqmEwwyrXBAyYwaLPtAVoK8XOoyu9Pkmj5jpS6PAbamurDFdf
+glZzfPpWeTNi4nJ5DrrunwkR2LAM1j44gR2xhr6OGpleL8fbRu1OnBd+akyqJIDx
+5SuLh7OAAwopSRvEr7tp6aP/TWwbKPz+tQs07H8D7iwcpr7HSD4eDdD2JLOCoMfC
+q6rHmko945QzpLw/eFWwvtB2mLvIOG7rUEgsYJla5uDKnphLyLfJu5r3x/qOOGgD
+3HNga0w6TJDSizSDHHfac8IPBv4s3jJdVjCmkT7nGC5Y9xHsYX5AsSA5rRKAZYAv
+oiX1jU8D98ClMIPI++/74uEVWHuB6N3rytOkFgZj8h1+y6beuaA=
+=93UB
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index 772e1970b334..ae360fd1f8a3 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
diff --git a/metadata/glsa/glsa-202403-04.xml b/metadata/glsa/glsa-202403-04.xml
new file mode 100644
index 000000000000..abe207438c3d
--- /dev/null
+++ b/metadata/glsa/glsa-202403-04.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202403-04">
+    <title>XZ utils: Backdoor in release tarballs</title>
+    <synopsis>A backdoor has been discovered in XZ utils that could lead to remote compromise of systems.</synopsis>
+    <product type="ebuild">xz-utils</product>
+    <announced>2024-03-29</announced>
+    <revised count="1">2024-03-29</revised>
+    <bug>928134</bug>
+    <access>remote</access>
+    <affected>
+        <package name="app-arch/xz-utils" auto="yes" arch="*">
+            <unaffected range="lt">5.6.0</unaffected>
+            <vulnerable range="ge">5.6.0</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>XZ Utils is free general-purpose data compression software with a high compression ratio.</p>
+    </background>
+    <description>
+        <p>A backdoor has been discovered in XZ utils. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Our current understanding of the backdoor is that is does not affect Gentoo systems, because

+

+1. the backdoor only appears to be included on specific systems and Gentoo does not qualify;

+2. the backdoor as it is currently understood targets OpenSSH patched to work with systemd-notify support. Gentoo does not support or include these patches;

+

+Analysis is still ongoing, however, and additional vectors may still be identified. For this reason we are still issuing this advisory as if that will be the case.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All XZ utils users should downgrade to the latest version before the backdoor was introduced:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose "&lt;app-arch/xz-utils-5.6.0"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3094">CVE-2024-3094</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-03-29T21:48:56.283016Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-03-29T21:48:56.285132Z">graaff</metadata>
+</glsa>
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 454b00673c42..c9c03c0cb247 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Fri, 29 Mar 2024 18:40:27 +0000
+Sat, 30 Mar 2024 00:41:28 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index f5bb639f3fe0..2db000c912a8 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-cdd0be6e1942f6fd398390a7d40b198b4617986a 1709462639 2024-03-03T10:43:59+00:00
+ad7cf37eb216318a2076f79b7aceee6389bc887b 1711749190 2024-03-29T21:53:10+00:00