[SID - Unstable] backdoor in upstream xz affecting openssh

[lindi]

There seems to be a backdoor in the upstream xz release that affects openssh in unstable: https://www.openwall.com/lists/oss-secu ... 24/03/29/4

[fabien]

Thank you @lindi
The version in testing and unstable has been updated in the main repository

xz-utils (5.6.1+really5.4.5-1) unstable; urgency=critical

* Non-maintainer upload by the Security Team.
* Revert back to the 5.4.5-0.2 version

-- Salvatore Bonaccorso <carnil@debian.org> Thu, 28 Mar 2024 15:59:38 +0100

Therefore, updating to 5.6.1+really5.4.5-1 is safe and recommended.

[lindi]

Updating is safe but we don't know what the obfuscated backdoor code did. It might persist even after you upgrade the package itself.

[Narodnaya Volya]

Is there any news on the current situation ?
12.6 freezed?

[sunrat]

Is there any news on the current situation ?
12.6 freezed?

It never affected Stable, only Testing and Unstable.

[Narodnaya Volya]

Is there any news on the current situation ?
12.6 freezed?

It never affected Stable, only Testing and Unstable.

Im aware of this.
https://linuxiac.com/debian-decided-to- ... 6-release/
12.6 Postponed for security reasons. But no news here.

[fabien]

12.6 Postponed for security reasons. But no news here.

Monitor the Debian News subforum: 2024-03-31

Although no Debian stable versions are known to be affected by CVE-2024-3094 the next point release for 12.6 has been postponed while we investigate the effects of this CVE on the Archive.

It is hard work that demands and deserves serenity.