BELL-SA-2024:25: xz vulnerability
Published: April 3, 2024Last modified: April 3, 2024
Description
A high impact security vulnerability was discovered in xz-utils. Alpaquita is not affected by this vulnerability, but out of caution we decided to switch xz related packages to the version xz-5.2.5 that predates any known involvement of the bad actor. You can learn more from
https://bell-sw.com/blog/cve-2024-3094-a-backdoor-in-xz-utils/
To make the new packages considered an upgrade by the package manager, their package version is not rolled back. Instead the "new old" version is indicated as a "patchlevel".
Follow the instructions in the Solution section to make sure that your system includes all the necessary updates.
Additional details for all the related CVEs are available at the links below.
Solution
The following packages should be updated to the versions listed below, or newer.
Check if the package is installed and its version by running the 'apk version <package name>' command, and update it by running the 'apk upgrade <package name>' command.
In general, it's sufficient to perform an update of all packages installed on the system by running the 'apk upgrade' command.
| Product | Release | Package | Version |
|---|---|---|---|
| Alpaquita Linux | Stream | xz | 5.6.1_p525-r0 |