From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id 7WlcHw4nB2Y3ZBsAWB0awg (envelope-from ) for ; Fri, 29 Mar 2024 16:39:42 -0400 Received: by simark.ca (Postfix, from userid 112) id 6D1E31E0C0; Fri, 29 Mar 2024 16:39:42 -0400 (EDT) Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id 54B071E08C for ; Fri, 29 Mar 2024 16:39:40 -0400 (EDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id E8F34385E030 for ; Fri, 29 Mar 2024 20:39:39 +0000 (GMT) Received: from gnu.wildebeest.org (gnu.wildebeest.org [45.83.234.184]) by sourceware.org (Postfix) with ESMTPS id 1DC3F3858D20; Fri, 29 Mar 2024 20:39:10 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 1DC3F3858D20 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=klomp.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=klomp.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 1DC3F3858D20 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=45.83.234.184 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711744752; cv=none; b=njEUFguNqGChhQPpBGTRe8cWlWPYXoAYHBJJbYxApa1qHKrcztTaAf/5sMpPgQwrweth4ZKY9kEznWW8nR3LAk2gobpeRg8VSSCGnEq+0xWRo01HKfQDxDlxI7+7OPDtyumCrAB1if3/zMGoBjEIS9KuykfC2onjUxIeq17zIY0= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711744752; c=relaxed/simple; bh=h7o5Jg5WYrKMacWar6kCwVEF2EewDX2I+lbCvfBKR4k=; h=Date:From:To:Subject:Message-ID:MIME-Version; b=JuC1kssGMFkrE5F0UF8h/wVAZaY/Udt0Y2I2mKDsuDp/02zWflfoEknzyHDllMEoxr1vvsRs/HVeZGfGphZRFyaK+GErN1M6IP39DVBV7KTFZFGKRieIOgbjPSEe2VM/gKBc+/KC9HxiD/erwXHfnge3tmbOmlrQp0l+YI3SQEA= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by gnu.wildebeest.org (Postfix, from userid 1000) id 34118300046F; Fri, 29 Mar 2024 21:39:09 +0100 (CET) Date: Fri, 29 Mar 2024 21:39:09 +0100 From: Mark Wielaard To: overseers@sourceware.org Cc: gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org Subject: Security warning about xz library compromise Message-ID: <20240329203909.GS9427@gnu.wildebeest.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00, JMQ_SPF_NEUTRAL, KAM_DMARC_STATUS, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gdb@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gdb mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gdb-bounces+public-inbox=simark.ca@sourceware.org Sender: "Gdb" Sourceware hosts are not affected by the latest xz backdoor. But we have reset the https://builder.sourceware.org containers of debian-testing, fedora-rawhide and opensuse-tumbleweed. These containers however didn't have ssh installed, were running on isolated VMs on separate machines from our main hosts, snapshots and backup servers. If you are running one of these distros on your development machines then please consult your distro security announcements: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users https://lists.debian.org/debian-security-announce/2024/msg00057.html https://archlinux.org/news/the-xz-package-has-been-backdoored/ https://news.opensuse.org/2024/03/29/xz-backdoor/