[Bug 2055422] Re: Please sync xz-utils 5.6.0-0.2 from Debian experimental
Sergio Oller
2055422 at bugs.launchpad.net
Sat Mar 30 06:19:24 UTC 2024
I just read about the backdoor on xz-utils from CVE-2024-3094 (not yet
synced to Launchpad CVE, I can't use the Link to CVE feature) and I
wanted to know more about Ubuntu's status.
Please avoid syncing any vulnerable version.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-3094
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to xz-utils in Ubuntu.
https://bugs.launchpad.net/bugs/2055422
Title:
Please sync xz-utils 5.6.0-0.2 from Debian experimental
Status in xz-utils package in Ubuntu:
New
Bug description:
Xz-utils 5.6.0 was released last Friday. It features a much faster
decompression code on all platforms but on x86_64 in particular, it is
60% faster in my testing. It also aligns better current practices of
enabling multi-threading by default (always with a default memory
limit of 25% of the system physical memory).
Sebastian Andrzej Siewior has uploaded it to experimental and after a
few fixes for integration (due to extra output on stderr in
particular), has uploaded xz-utils 5.6.0-0.2.
I expect tests to pass now considering they almost all succeeded with the first upload.
I am aware of tweaks to other packages too but I'm not sure they will actually be needed with this new upload and since they relate to pristine-tar and/or dpkg, I think it's probably better to be sure first due to the ongoing migrations.
Thanks.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xz-utils/+bug/2055422/+subscriptions
More information about the foundations-bugs
mailing list