Tumbleweed today - xz security alert and CVE-2024-3094

arvidjaar · April 4, 2024, 11:13am

Re: xz security alert and CVE-2024-3094 - openSUSE Factory - openSUSE Mailing Lists

jedibeeftrix · April 6, 2024, 5:28pm

hmmm, trying to parse the impact of that response i can’t see that i need to be concerned having still not advanced beyond xz 5.4.5-1.1.x86-64.

mhurron · April 6, 2024, 6:15pm

Then you never installed the affected version.

gaindeli · April 6, 2024, 11:20pm

I recommend the openSUSE Tumbleweed release to consider auditing the whole infrastructure used for the development and release of this rolling distribution of openSUSE. I personally experienced during the last two months an inexplicable behavior of zypper when I am updating my system. Usually, zypper dup took a reasonable amount of time to complete the whole process. But in February and March, for just less than a thousand packages to update, the process took several hours to complete. The above-mentioned behavior was noticed at each step of the update process. For example, alone refreshing the package repositories (about 30) I am using in my system could sometimes last more than an hour, parsing a single repository took more than a minute.
Since the disclosure of the security issue about the backdoor introduced in the xz software, zypper started functioning again like before.
I apologize for this delayed statement of my own observation. I had no account in any mailing list.

aggie · April 6, 2024, 11:31pm

Really?? You have thirty repos set as Enabled and active?! If yes, I’m not surprised about the delay. (a bit off-topic about this).

hendersj · April 7, 2024, 4:34pm

This is far too many repos. As Aggie said, not really on topic for this discussion, but you should open a new topic for this issue so someone can help you narrow down the repo selection that you have in place.

It is natural that the more repos you have, the more impact to the system there’s going to be when updating. Usually when we see this, it’s because someone’s used one-click repos for some individual repos (probably a bunch of home: repos as well), and that is a recipe for problems with the setup.

jedibeeftrix · April 8, 2024, 9:45am

my question was particular to the second downgrade to xz 5.4-3.2.

a version apparently lower than the rpm installed on my systems.

arvidjaar · April 8, 2024, 10:22am

I have no idea what you are talking about. The only version currently present in Tumbleweed is 5.6.1.revertto5.4-2.1.

jedibeeftrix · April 8, 2024, 2:32pm

malcolmlewis · April 8, 2024, 2:55pm

@jedibeeftrix you should have something similar to;

zypper se -si xz liblzma

S | Name               | Type    | Version               | Arch   | Repository
--+--------------------+---------+-----------------------+--------+----------------------
i | liblzma5           | package | 5.6.1.revertto5.4-2.1 | x86_64 | Main Repository (OSS)
i | liblzma5-32bit     | package | 5.6.1.revertto5.4-2.1 | x86_64 | Main Repository (OSS)
i | liblzma5-x86-64-v3 | package | 5.6.1.revertto5.4-2.1 | x86_64 | Main Repository (OSS)
i | xz                 | package | 5.6.1.revertto5.4-2.1 | x86_64 | Main Repository (OSS)
i | xz-devel           | package | 5.6.1.revertto5.4-2.1 | x86_64 | Main Repository (OSS)

jedibeeftrix · April 8, 2024, 5:17pm

thanks, Malcolm.

i have been hanging fire on a zypper dup until KDE 6.0.4/Frameworks 6.1/Apps 24.0.2 drop in the middle next week. I’ll confirm then.

system · May 8, 2024, 5:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.