From d9ec8de250ddc362ca4726cd6c055216b529177a Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sat, 30 Mar 2024 01:13:30 +0000 Subject: gentoo auto-resync : 30:03:2024 - 01:13:30 --- metadata/glsa/Manifest | 30 ++++++++++++------------- metadata/glsa/Manifest.files.gz | Bin 569335 -> 569494 bytes metadata/glsa/glsa-202403-04.xml | 47 +++++++++++++++++++++++++++++++++++++++ metadata/glsa/timestamp.chk | 2 +- metadata/glsa/timestamp.commit | 2 +- 5 files changed, 64 insertions(+), 17 deletions(-) create mode 100644 metadata/glsa/glsa-202403-04.xml (limited to 'metadata/glsa') diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest index 27110502b717..a5ba4a7ce864 100644 --- a/metadata/glsa/Manifest +++ b/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 569335 BLAKE2B 07f6153cc527f8ef0be40a2cc21b4fbdd6901249b5c3c569cd1c78321017cd55d98800cf292cc33ffbd6842d685a59c8343e534c4ede0d598730df983a8c33f4 SHA512 5d341348a510bcd14cd0388e2d6bdaccf622bfa08eed783dcee916769bbf2f8d31fa0fb57d0f3bfcce315df08c0e1c93572bfdc703a005d69ab200628e23c99b -TIMESTAMP 2024-03-29T18:40:30Z +MANIFEST Manifest.files.gz 569494 BLAKE2B 475196fd0ff28d6023f45e6c22284bded2028bbe891778e3828fb75c3727438168bcd5ab63fe48683bb5874710c096e12470eee93163ae90c07d1f9d79810710 SHA512 94822c7f83b3b68b28e1885c442c2d9b5794eb5f861b8a0862162601a2c2b03cdc2bb6144d8b4a1d61befedf2ff1952e540c518e34c7f15ff5af14b7dc567fcb +TIMESTAMP 2024-03-30T00:41:30Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmYHCx5fFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmYHX7pfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klBKZw//T5+Hw30JmSw9gh/vPUEe+EVeRZ+gYzXFwK5gChSRv/bUx0/k1/s4ngXE -s2912xibOfNDQu1cN+vTm7rXZM6NmU0mRR75jX5KSIUIu8hJ7PM5Grplp5VYOipi -RzitwZiiiVVUCCaGUQq0TSAqCCc7DrsuXxbsZxiDA4FUTHQ06XYNjcTs8nd6MgWg -PUw4T/P4IIdDLFHBXQIM5Ytlb1LFV6XETAt/kIUyz6hXHay7i1WVSUbzqC5nFAwR -zCmpbdyAqsMaoRp+d8I5TLLK6IpL1YfCdd0wuVFdp6QTjf+8DngL+mpzYt1/Zy6Q -cDC87kZO73CYXiH1R3eCKjfqttuG32eGYDMJ44Fv/7VnWDGSH0w3XiDKTZ3P+N5q -aVIDhWoV3BsnZu5sCIZ0P3CxeH7f7ltlN3yfFMKRm7llTBBK/mGMLYBz5xA1c50O -6hD9V2lCDwD7nlRctDdKnj6zzWjtKa0gstMY/I3Rv3beTW5AEMI5NYqzLcnffMGV -lJnABIiRBAj4FMVSGPOw+G6Ahwk8VWGFHcQ0BOyz0ej4Ufy4ujy0Iz+/P6k4iWE0 -GzszyyOXIUZ1ZnBO4+VMTate6FGHIhfOR9Le5/MHGi85qhhnJhwcufqLYixK2yPv -4dazP8zWuplyrSKzASk5eTgbyA86QaTcHsq2V2hF/O/qNtiFSpI= -=ENDy +klBqyRAAgdxmOYfPuADQpfzZrEc/D1A3gekQy/YRyZ8LrtEWzIEnmKRku5uUaQpZ +EgGlywDz18bIuA19u3GV9rf2knFwEArSig7iBHs6CIcXMSi26kdpnhCi6NAL6azj +zvXklXVqJKNw8ArGS30fa1sgvgcmtWI4Rxu4twyyjj5QcU8Ka/sv3Alr1UkIQqLO +qkkjdlk1dHs0I2LHjfaf6vpGGcqAW0H9BmxQAEfmJf8GaFebBxwrF5dkSrmIFUpD +uuR4ITYW/z0WQOYHkRQCrfG5QnO6Tgp7nFdk1/N8LdO6JUoRSwdZxmWVEl0k6EGL +mOh82wFBCkQQnccwqmEwwyrXBAyYwaLPtAVoK8XOoyu9Pkmj5jpS6PAbamurDFdf +glZzfPpWeTNi4nJ5DrrunwkR2LAM1j44gR2xhr6OGpleL8fbRu1OnBd+akyqJIDx +5SuLh7OAAwopSRvEr7tp6aP/TWwbKPz+tQs07H8D7iwcpr7HSD4eDdD2JLOCoMfC +q6rHmko945QzpLw/eFWwvtB2mLvIOG7rUEgsYJla5uDKnphLyLfJu5r3x/qOOGgD +3HNga0w6TJDSizSDHHfac8IPBv4s3jJdVjCmkT7nGC5Y9xHsYX5AsSA5rRKAZYAv +oiX1jU8D98ClMIPI++/74uEVWHuB6N3rytOkFgZj8h1+y6beuaA= +=93UB -----END PGP SIGNATURE----- diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz index 772e1970b334..ae360fd1f8a3 100644 Binary files a/metadata/glsa/Manifest.files.gz and b/metadata/glsa/Manifest.files.gz differ diff --git a/metadata/glsa/glsa-202403-04.xml b/metadata/glsa/glsa-202403-04.xml new file mode 100644 index 000000000000..abe207438c3d --- /dev/null +++ b/metadata/glsa/glsa-202403-04.xml @@ -0,0 +1,47 @@ + + + + XZ utils: Backdoor in release tarballs + A backdoor has been discovered in XZ utils that could lead to remote compromise of systems. + xz-utils + 2024-03-29 + 2024-03-29 + 928134 + remote + + + 5.6.0 + 5.6.0 + + + +

XZ Utils is free general-purpose data compression software with a high compression ratio.

+ + +

A backdoor has been discovered in XZ utils. Please review the CVE identifier referenced below for details.

+ + +

Our current understanding of the backdoor is that is does not affect Gentoo systems, because + +1. the backdoor only appears to be included on specific systems and Gentoo does not qualify; +2. the backdoor as it is currently understood targets OpenSSH patched to work with systemd-notify support. Gentoo does not support or include these patches; + +Analysis is still ongoing, however, and additional vectors may still be identified. For this reason we are still issuing this advisory as if that will be the case.

+ + +

There is no known workaround at this time.

+ + +

All XZ utils users should downgrade to the latest version before the backdoor was introduced:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose "<app-arch/xz-utils-5.6.0" + + + + CVE-2024-3094 + + graaff + graaff + diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk index 454b00673c42..c9c03c0cb247 100644 --- a/metadata/glsa/timestamp.chk +++ b/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Fri, 29 Mar 2024 18:40:27 +0000 +Sat, 30 Mar 2024 00:41:28 +0000 diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit index f5bb639f3fe0..2db000c912a8 100644 --- a/metadata/glsa/timestamp.commit +++ b/metadata/glsa/timestamp.commit @@ -1 +1 @@ -cdd0be6e1942f6fd398390a7d40b198b4617986a 1709462639 2024-03-03T10:43:59+00:00 +ad7cf37eb216318a2076f79b7aceee6389bc887b 1711749190 2024-03-29T21:53:10+00:00 -- cgit v1.2.3