-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5649-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 29, 2024                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xz-utils
CVE ID         : CVE-2024-3094

Andres Freund discovered that the upstream source tarballs for xz-utils,
the XZ-format compression utilities, are compromised and inject
malicious code, at build time, into the resulting liblzma5 library.

Right now no Debian stable versions are known to be affected.
Compromised packages were part of the Debian testing, unstable and
experimental distributions, with versions ranging from 5.5.1alpha-0.1
(uploaded on 2024-02-01), up to and including 5.6.1-1. The package has
been reverted to use the upstream 5.4.5 code, which we have versioned
5.6.1+really5.4.5-1.

Users running Debian testing and unstable are urged to update the
xz-utils packages.

For the detailed security status of xz-utils please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xz-utils

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYG4XBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QBZg/9HMXAGIvBC12v8PSnp6EjnagxXBjTqLIJzEwQFgmC1cS58Kmv214c3fD+
rxHEfqQxcgjVSWPbIgI5ZXf1XZtx1YiMGRd9aEvKQSwLu0ox0/UR5igZakLrZb+n
t1qvH8AGYQhK41ysFJVwNulUXqqopvGEPgwopLfGPn8P3zjOrs0BoLqYmQ0nbsv3
92l9rAYk6W7G+L3Gwp/cQVzqmyErlEk/QB3Ld+6HLP7a8shY+A8a7iVHE1vkzNjw
JeZ2shIrvkCJqb1/BVSJU92fy2P4xjiMY8phDum7dzWnyy0WZLa90B/tDF9WB7Ok
nuUa020yxjflnabSM112We1V8D5sh18X30NK8scXiCD5cbPEysGqaUf8Baik9qux
Wkn60oqLKFN0VdrUxeqyLp1AC7wEiysQaNqv/8ZqhYF3/KxrbzgBOVy9XeB3pEfk
oLLPtUeH3kuXGw2Qp+Kqg3Zlfe04XZZX5kme/7PFkBvjZ8JFH7dWW+eEO9MbnsPD
br0tWxod0jhvLdZ6YLFad6q2jkjqO3LH3+SYAhp+otcY1TNpIe7xWAB+Phj0TJqu
IoSnYutqEb4mwoUzn9vZRzOxLvyePEJwbFG89sQf4GCYm4FwDhyB51Eo5piC7Fre
EtfsmdU7xAl6tljtUkzTHz27dBIokrgw4W0YrYaeUSmm3jKttPA=
=522l
-----END PGP SIGNATURE-----