Received: from sdaoden.eu (sdaoden.eu [217.144.132.164]) by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id BB5AB225896 for <~alpine/users@lists.alpinelinux.org>; Sun, 31 Mar 2024 02:03:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sdaoden.eu; s=citron; t=1711850601; x=1712517267; h=date:author:from:to:cc:subject: message-id:in-reply-to:references:mail-followup-to:openpgp:blahblahblah: mime-version:content-type:content-transfer-encoding:author:from:subject: date:to:cc:resent-date:resent-from:resent-to:resent-cc:in-reply-to: references:mime-version:content-type:content-transfer-encoding:message-id: mail-followup-to:openpgp:blahblahblah; bh=cuKzjoDjKizjbXK+FaBBNPyCIbgEw8f015nfGA1AM2s=; b=fci4bYIQtt0oy6CS00+eHcryDkZTnY4pQPHGHf3nAVNCmexgv2E1vCRPxNsyahZArcBqcvVK niXnQs2xpZnrlEAiWLfLCf/MtyMLc44crj3Zvdf/TOJm8isfhyh0ftEjB+U6nlDrfySyiI5qs6 3Kz9tB3+xTeHDRhH1J2uLTbrR4P0joP64jCH8MrQGQmG/s1fRNeQSJ4LUw0rOfVvmSU3dhCGC3 NsIqv/zsnwQX2hsDMoCG0TAJIYD2l/dXhvxe/6GmEGyUGHQQO1CVCR1CMZ/3LqWaxPuxGqgEj8 Np/t5QJqvjYdehVOo0QyUxPRSlzH44zmh3j+9guV4t4gJo5Q== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=sdaoden.eu; s=orange; t=1711850601; x=1712517267; h=date:author:from:to:cc:subject: message-id:in-reply-to:references:mail-followup-to:openpgp:blahblahblah: mime-version:content-type:content-transfer-encoding:author:from:subject: date:to:cc:resent-date:resent-from:resent-to:resent-cc:in-reply-to: references:mime-version:content-type:content-transfer-encoding:message-id: mail-followup-to:openpgp:blahblahblah; bh=cuKzjoDjKizjbXK+FaBBNPyCIbgEw8f015nfGA1AM2s=; b=kUHzW0RcyhwedvfpF8c2kpKucOe2wZzdkPTN6PGOYcYL10eEAzfpoA6VPyFBeJhdHLkqENeP HNVzEVenaDGOBA== Date: Sun, 31 Mar 2024 04:03:20 +0200 Author: Steffen Nurpmeso From: Steffen Nurpmeso To: Jeffrey Walton Cc: Stuart Longland VK4MSL , Ralf Mardorf , "~alpine/users@lists.alpinelinux.org" <~alpine/users@lists.alpinelinux.org> Subject: Re: XZ force downgrade led to removal of many packages Message-ID: <20240331020320.8LAyJxM5@steffen%sdaoden.eu> In-Reply-To: References: <1c614505-92f2-42b4-ba46-b227777e0d5b@lodispoto.com> <974c079f-8e90-495c-a9f8-c266eb458f09@vk4msl.com> <9950f380892dea7134b69901f5ee5f7c9283ca47.camel@riseup.net> <9c66ab07-c48f-4735-a213-ac4935ba3f2e@vk4msl.com> Mail-Followup-To: Jeffrey Walton , Stuart Longland VK4MSL , Ralf Mardorf , "~alpine/users@lists.alpinelinux.org" <~alpine/users@lists.alpinelinux.org> User-Agent: s-nail v14.9.24-612-g7e3bfac540 OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD; url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt BlahBlahBlah: Any stupid boy can crush a beetle. But all the professors in the world can make no bugs. MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Jeffrey Walton wrote in : |On Sat, Mar 30, 2024 at 5:26=E2=80=AFPM Stuart Longland VK4MSL \ |wrote: |> |> On 30/3/24 20:39, Ralf Mardorf wrote: |>> security through naivety is new to me. |>> |>> For example, Arch uses systemd by default, but does not link openssh |>> directly to liblzma. Arch uses neither RPM nor DEB. From a naive |>> point of view, Arch is not affected either. |>> |>> "However, out of an abundance of caution, we advise users to remove |>> the malicious code from their system by upgrading either way. This |>> is because other yet-to-be discovered methods to exploit the backdoor |>> could exist." - |>> https://lists.archlinux.org/archives/list/arch-announce@lists.archlinu= x.\ |>> org/thread/MX363534MGK44R5UIYPK4GABKHF76TYC/ |> |> If possible. Now, if you're running 3.19, according to |> pkgs.alpinelinux.org, the latest release of xz is 5.4.5: |> |> https://pkgs.alpinelinux.org/packages?name=3Dxz*&branch=3Dv3.19&repo=3D&= arch=3D&\ |> maintainer=3D | |Jia Tan started contributing to xz circa the development version 5.3. |To get untainted code, you have to go back to version 5.2. But rolling |back to version 5.2 means ABI and symbol breaks. If you don't want to |go back to 5.2, then it means you have to audit over 700 commits in |xz. Also see . I have downgraded to 5.4.0 locally (CRUX; server not, Alpine surely will do the right thing). I have seen the . Well .. the error string thing i would not call compromised, as Ed Maste i think it was commented when he reverted (two days, and late). Nice Easter to the Christians. And Muslims have soon passed the Ramadan! |> Meaning, the vulnerable version *should not be present*. |> |> The only way a vulnerable version could be there would be if someone |> installed it from `edge`: the *unstable* distribution. It comes with |> this warning: |> |>> Warning: edge is under constant development so be careful using it in |>> production. It is possible that bugs in edge could cause data loss or |>> could break your system. |> -- https://wiki.alpinelinux.org/wiki/Repositories#Edge |> |> I'd imagine that those "bugs" can include security vulnerabilities. |> Especially those from upstream releases, which is what we have here. |> This isn't the fault of the AlpineLinux developers: few of us have the |> resources to manually inspect every release of every package for such |> vulnerabilities. I've been there: I used to do it on the Mozilla and |> MIPS teams for Gentoo. |> |> So it would seem for the OP, the options are: |> |> 1. roll back to release 3.19, which does not include the vulnerability |> 2. hold tight until a fixed release can trickle down from upstream | |Jeff --End of --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)