Received: from gapmx.vk4msl.com (unknown [IPv6:2001:44b8:21ac:70f8::8]) by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 36738225946 for <~alpine/users@lists.alpinelinux.org>; Sat, 30 Mar 2024 21:25:58 +0000 (UTC) Received: from gapmx.vk4msl.com (gapmx.vk4msl.com [127.0.0.1]) by gapmx.vk4msl.com (Postfix) with ESMTP id 909D51666A; Sun, 31 Mar 2024 07:25:38 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=vk4msl.com; h=message-id :date:mime-version:subject:to:references:from:cc:in-reply-to :content-type:content-transfer-encoding; s=gapmx; bh=6M3GRKDuuhy x/55Ka/U6CjOZiAk=; b=blM1wND61d4FGlsNNGszbM6rRe1kpgGGQ9wH7lAygRN yshqCHTmvqAOx01skUBzkL4MFhFxKI07xxfeMcIgtiKdvs9U1WgtQexRm/Nc4rzG e3WcwbUKhTiHIJ7nshxPNWzoeoW/BRmGZmracZkmWCwyRViPbd8OswKI2m4QgQNP 4VAhEQr6gwiCsYDfMAfV52LBLGZLFY4GNIAWKQE3vDnqqgH3E0kxLPefliBL1OKP mhhHmaGmxk1dg7NkhBXJJQEE/5gwswjO3xQxCzDMme7pVLCokCIVuWUjw9x7EVSC y0bnblr1WbE+1L4wxQiAC7MKOjQZQIdG+dCJCUOjNkQXm3a/2ogPTtkOgX4eaShH AYk3znCcD8NuSItBTQRZA/AGpnDxBQlcPKJAaC0szOe4Y19G4sWMbHx1Uhs/T4gD iX2l3CPcUoxjl/qLydU88ydfhsIqdgTMkjSnuYSHHnujhrjBC9YuvVh76v2oSQV+ n3kOQlkCYeOZkCRggTYI8+2ueHdQr/Wtp5W77HwYZBbk8ox1r0mumZe8qRtJANMa zuI6aSmjww/cTJE3fPQx2+B9akB6sFr/tjsLEPA4OMxGmtUsz0Eut9WgZjOe6flH fNUkUfQlS0tfMz2owVw53WM7MIYJzFUq4rCOvhRR892Qqp9rmgrf6Mt8xoXpPtf8 = DomainKey-Signature: a=rsa-sha1; c=nofws; d=vk4msl.com; h=message-id :date:mime-version:subject:to:references:from:cc:in-reply-to :content-type:content-transfer-encoding; q=dns; s=gapmx; b=B3UAP ggf9MV8yl+1l3br8nopjrdL45M6+X7AhWMstlcIpsH7chTs84ldNtxC09tMA3+7S hpMR6P2QZM76hxtm1lUUqYEjFnAFFEIuKMopASA6iknEwqB15ejWokEkk5e64iM9 W59A9f+NF3F77WeqOs4/gCCb+CZlf4d18f9JpuMre48Hou1sjyR37DkGeipoGPAo oa1TjUqcocdkRRO3dAakW0YCoq0NxISgBhJI8py7d9G2zrZCy8PElHP9pQSMnBnv dljJNpA4+LF3xbXRVjXewvlGfg8AquSiJ4t28F9CmVMTWV/eFCZirpE97uxA5VVq EijdDjPuCp6USZA/FOn6AXT6gGRZ9hSIow3Gqn26iNIhm8vSdGJhy7M1cbB0DrSM T7lBBfXzzV8KW5ZflhBlg0st7wzIy0c1ZUJ7qpU5CeDhIGoUfmVfCyfrNJ+xo8iv L9IuVE+Ru/zrqZH9d1V07pwGwivn1GiTGOZKoRAaEMQvxAFa3eiGFKLHcidej5MZ mRlRI8CurwbP0XzamjEmrRBPUqlEY3jPd6JbS+irpIv0ASxPipfAenWGZV75gEK+ 6R55ST/JQeTn8Ylpt0RjX0BtbooATHM01Gw4gPO0F9zrE6fRDfM3cB0QHFVA1njJ GSSM+ndS1/T6mbRnnltg9JPDOJMfzPfH1qskCk= Received: from [192.168.1.191] (unknown [1.128.161.173]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by gapmx.vk4msl.com (Postfix) with ESMTPSA id BD7FD16669; Sun, 31 Mar 2024 07:25:30 +1000 (AEST) Message-ID: <9c66ab07-c48f-4735-a213-ac4935ba3f2e@vk4msl.com> Date: Sun, 31 Mar 2024 07:25:28 +1000 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: XZ force downgrade led to removal of many packages To: Ralf Mardorf References: <1c614505-92f2-42b4-ba46-b227777e0d5b@lodispoto.com> <974c079f-8e90-495c-a9f8-c266eb458f09@vk4msl.com> <9950f380892dea7134b69901f5ee5f7c9283ca47.camel@riseup.net> Content-Language: en-AU From: Stuart Longland VK4MSL Cc: "~alpine/users@lists.alpinelinux.org" <~alpine/users@lists.alpinelinux.org> In-Reply-To: <9950f380892dea7134b69901f5ee5f7c9283ca47.camel@riseup.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 30/3/24 20:39, Ralf Mardorf wrote: > security through naivety is new to me. > > For example, Arch uses systemd by default, but does not link openssh > directly to liblzma. Arch uses neither RPM nor DEB. From a naive > point of view, Arch is not affected either. > > "However, out of an abundance of caution, we advise users to remove > the malicious code from their system by upgrading either way. This > is because other yet-to-be discovered methods to exploit the backdoor > could exist." - > https://lists.archlinux.org/archives/list/arch-announce@lists.archlinux.org/thread/MX363534MGK44R5UIYPK4GABKHF76TYC/ If possible. Now, if you're running 3.19, according to pkgs.alpinelinux.org, the latest release of xz is 5.4.5: https://pkgs.alpinelinux.org/packages?name=xz*&branch=v3.19&repo=&arch=&maintainer= Meaning, the vulnerable version *should not be present*. The only way a vulnerable version could be there would be if someone installed it from `edge`: the *unstable* distribution. It comes with this warning: > Warning: edge is under constant development so be careful using it in > production. It is possible that bugs in edge could cause data loss or > could break your system. -- https://wiki.alpinelinux.org/wiki/Repositories#Edge I'd imagine that those "bugs" can include security vulnerabilities. Especially those from upstream releases, which is what we have here. This isn't the fault of the AlpineLinux developers: few of us have the resources to manually inspect every release of every package for such vulnerabilities. I've been there: I used to do it on the Mozilla and MIPS teams for Gentoo. So it would seem for the OP, the options are: 1. roll back to release 3.19, which does not include the vulnerability 2. hold tight until a fixed release can trickle down from upstream Regards, -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.