CVE-2024-3094: xz-utils compromise (unstable/testing only) · Issue #215 · debuerreotype/docker-debian-artifacts (original) (raw)

The most important bit (IMO) being:

Right now no Debian stable versions are known to be affected.
Compromised packages were part of the Debian testing, unstable and
experimental distributions, with versions ranging from 5.5.1alpha-0.1
(uploaded on 2024-02-01), up to and including 5.6.1-1.

Ideally I'd do a targeted rebuild of just unstable/testing, but that's a little bit complicated with the way I currently build these. 😞

There's also a stable release happening next Saturday, so we're due for a full rebuild shortly following that anyhow.

So, given that this only affects unstable and testing and only appears (AFAICT) to affect SSH and specifically SSH when invoked via systemd (which is very uncommon in containers), I do not currently plan to do a high-priority rebuild just for this. 🙇

(I will, however, continue to monitor the situation/comms to see if the situation changes such that I should reconsider.)