Report sounds serious although I am not running sshd on my Endeavour box. Currently up-to-date install has vulnerable version 5.6.1 of xz installed.
$ pacman -Q xz
xz 5.6.1-2
Hope a clean update gets pushed soon.
[Edit: so actually, the dash-2 update on my box was the already updated and fixed Arch version. I hope the upstream issue gets solved, so for clarity sake there can be a proper version number bump.]
2 Likes
Yeah…hopefully it will be out soon.
https://security.archlinux.org/CVE-2024-3094
Or is it already…?
1 Like
Thanks for the warning - I was just a about to report this here as well.
I’ve got 5.6.1-2 as well.
1 Like
“The malicious code path does not exist in the arch version of sshd, as
it does not link to liblzma.”
https://security.archlinux.org/ASA-202403-1
does that mean we are relatively safe? is there a way to check if you’re affected or something?
The original post I linked contains a script to check for the vulnerable version. I checked the script before running it and when I did, it exited with no output.
So, maybe… yeah?
I updated the containers, but the guide also says this:
Afterwards make sure to rebuild any container images based on the affected versions and also inspect any running containers!
Anyone know how to do it?
Do you have podman
/ docker
Arch Linux containers?
It’s written in there in details.
I actually installed Docker right now and gave sudo docker image pull archlinux/archlinux for this purpose
It was optional for those who use it…
Well… I guess it’s no big deal if I did, right?
1 Like
Sure, if you don’t need it just remove it all
1 Like