From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 6E574158041 for ; Sun, 31 Mar 2024 15:39:25 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7B7FDE2AD7; Sun, 31 Mar 2024 15:39:18 +0000 (UTC) Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id BB708E2A5F for ; Sun, 31 Mar 2024 15:39:17 +0000 (UTC) Received: by mail-pl1-x62e.google.com with SMTP id d9443c01a7336-1e0ae065d24so27168065ad.1 for ; Sun, 31 Mar 2024 08:39:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711899556; x=1712504356; darn=lists.gentoo.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=4Df2oyUZj9vHKf554jdcBrYCk0kMdQrMMQVqejTvsic=; b=iRtOn6LoLa+iIfKPfJZKxN7ojJ2bvw9Q2LzKB3kY1j3gv9qcj3DVy5ENu2nu0hkyO6 F3N+JTZ148J/+E7I+0a//uxvX9PYJrHpUQ+dJoF9LeVhqMT8fAh4Z9TQ+EsS/DwSr4X8 tI2GomRXlsQ9lU/qxnL2RUWmma5sDAZzM6JguIxya/XI7IUUU123GeSPOEXXophz03EZ 4Vn5fSm32JL7g/uVb/UFGdPhbq/cvGcv5lT8kS3T+yYio2c/3E89CPF2y6Z9bT+Q/3EI oZwhRN5lQz9nROHMpOAzjiPOCbcaSp5A/O4dRzjwXwvFRlfLZkqsN3Rjw8HcaaBe4Ukj GMcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711899556; x=1712504356; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=4Df2oyUZj9vHKf554jdcBrYCk0kMdQrMMQVqejTvsic=; b=ge9wcnPTm9o1X363et81HBbpbZek03go1oxdwCOgDGpzJr8eUsfasbLNCVdfGEhOlG hPuoapXrbJ5pnyqFHhX2YBwWBTVaQWoX1u0EiY3Fxtuqhdzuw6mm+mXbNvvngQZD+4JI 41X5SvOHk5npuKt+L0b8NBOe9zkNhtcYjyBfUEw93J9ZcLjod/JqKsirSsBrOKuP033b NMMxJrAPHaAydPbKZeEqSwyEBLAt9nU6HoiRJtlDRbfLJEfruGSq1NKGjbOgDATUMW+m R0VZTAkO4v+m2pn8SPSj4+UOLFfdwi6GxgKVreHwCcrf6fBAPTNoxIGL46MtTyJNOnoL ZvqA== X-Gm-Message-State: AOJu0YwZcRwskJ0punrFyceBz20267Z6eP2oQNtHcnJRFttgIlrQDPKt HjcYTY5n2g14ABGos4EGaS9A3Nljw+mENG8e9wEfX6WQSkTLjmCP5ZHN9cvD X-Google-Smtp-Source: AGHT+IGY6ZbUWhw8eVpV2/nSowj3JPvdP9ejdUMHz1cJzxZJ1qloQo6rNMxGEFxu+06M/dMJXv56sw== X-Received: by 2002:a17:902:7005:b0:1e0:a3dd:82df with SMTP id y5-20020a170902700500b001e0a3dd82dfmr5894529plk.38.1711899555829; Sun, 31 Mar 2024 08:39:15 -0700 (PDT) Received: from [192.168.247.5] (d206-116-145-237.bchsia.telus.net. [206.116.145.237]) by smtp.gmail.com with ESMTPSA id d12-20020a170902c18c00b001dee0e175c1sm7000917pld.118.2024.03.31.08.39.15 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 31 Mar 2024 08:39:15 -0700 (PDT) Message-ID: <422183bb-1fcc-47b0-a729-2a360feab38d@gmail.com> Date: Sun, 31 Mar 2024 08:39:14 -0700 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [gentoo-user] Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo To: gentoo-user@lists.gentoo.org References: <2676120.BddDVKsqQX@rogueboard> Content-Language: en-US From: Daniel Frey In-Reply-To: <2676120.BddDVKsqQX@rogueboard> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 7b5e52ff-6e1e-4d64-83ef-e6c51ac089d6 X-Archives-Hash: 633b63b823c5e5ff1f776369442d2f8f On 3/31/24 07:59, Michael wrote: > On Sunday, 31 March 2024 13:33:20 BST Rich Freeman wrote: >> (moving this to gentoo-user as this is really getting off-topic for -dev) > > Thanks for bringing this to our attention Rich. > > Is downgrading to app-arch/xz-utils-5.4.2 all that is needed for now, or are > we meant to rebuilding any other/all packages, especially if we rebuilt our > @world only a week ago as part of the move to profile 23.0? I just ran `glsa-check -l affected` and it came up blank for me. I ran `emerge --sync` and checked again and it indeed says my machine is affected. I then ran `emerge -auDN world` and it automatically downgraded. So, all we need to do sync and update world. It will downgrade xz-utils automatically. If you want to make sure, run `glsa-check -l affected` after the emerge world, if it comes up blank you are not affected. Or run `glsa-check -l 202403-02` and it will tell you if you are affected: $ glsa-check -l 202403-04 [A] means this GLSA was marked as applied (injected), [U] means the system is not affected and [N] indicates that the system might be affected. 202403-04 [U] XZ utils: Backdoor in release tarballs ( app-arch/xz-utils ) Dan