Downgrading liblzma5, xz, xz-devel, xz-lang?

VariableStar · April 3, 2024, 9:55am

May be I am getting paranoid after the xz scandal. This seems normal, but wanted to ask the community anyway. Nothing in the email lists yet.

Running zypper dup a few minutes ago:

# zypper dup
Loading repository data...
Reading installed packages...
Warning: You are about to do a distribution upgrade with all enabled repositories. Make sure these repositories are compatible before you continue. See 'man zypper' for more information about this command.
Computing distribution upgrade...

The following 4 packages are going to be downgraded:
  liblzma5 xz xz-devel xz-lang

4 packages to downgrade.
Overall download size: 856.6 KiB. Already cached: 0 B. After the operation, 38.4 KiB will be freed.

Backend:  classic_rpmtrans
Continue? [y/n/v/...? shows all options] (y): n

hcvv · April 3, 2024, 9:57am

What is the question?

VariableStar · April 3, 2024, 9:58am

If a downgrade of these libraries was planned and expected.

pavinjoseph · April 3, 2024, 10:01am

To get details of the update such as its version:

zypper lu

To read the changelog:

sudo zypper dup --download-only
rpm -qp --changelog </var/cache/zypp/packages/.../path-to-rpm> | less

arvidjaar · April 3, 2024, 10:25am

It is impossible to answer because you provided zero information. Show

zypper search -sx xz
zypper lr -d

aggie · April 3, 2024, 10:33am

Did you read this thread??

Start at the first post and read on

https://forums.opensuse.org/t/tumbleweed-today-xz-security-alert-and-cve-2024-3094/

matbhm · April 3, 2024, 10:48am

I think, it istn’t his problem. Today the packages of xz an liblzma were downgraded again! That’s his Question.

arvidjaar · April 3, 2024, 10:53am

They were not really downgraded. They were removed from the update repository.

Before

S  | Name | Type       | Version               | Arch   | Repository
---+------+------------+-----------------------+--------+-----------------------------------
i+ | xz   | package    | 5.6.1.revertto5.4-3.2 | x86_64 | openSUSE-Tumbleweed-Update
v  | xz   | package    | 5.6.1.revertto5.4-2.1 | x86_64 | openSUSE-Tumbleweed-Oss (20240329)
v  | xz   | package    | 5.6.1.revertto5.4-3.2 | i586   | openSUSE-Tumbleweed-Update
   | xz   | srcpackage | 5.6.1.revertto5.4-3.2 | noarch | openSUSE-Tumbleweed-Update

after

S  | Name | Type    | Version               | Arch   | Repository
---+------+---------+-----------------------+--------+------------------------
i+ | xz   | package | 5.6.1.revertto5.4-3.2 | x86_64 | (System Packages)
v  | xz   | package | 5.6.1.revertto5.4-2.1 | x86_64 | openSUSE-Tumbleweed-Oss

The version 5.6.1.revertto5.4-2.1 has been in main repository all the time. Release numbers are per-repository and cannot be directly compared.

VariableStar · April 3, 2024, 10:58am

Exactly, I mean this of course. I understood that these packages were reverted to an earlier version last weekend. Now there is a new change. I was curious about this and also somehow on guard given the circumstances.

VariableStar · April 3, 2024, 6:05pm

Question asked and answered now in the mailing lists:

system · April 10, 2024, 6:06pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.