From ca6dbcc1099714386da3614d38c8b001ff532fca Mon Sep 17 00:00:00 2001
From: Alexander von Gluck IV Main Development List
RSS feed
A low traffic mailing list for Haiku, Inc. to announce critical security vulnerabilities in Haiku.
++Subscribe | +Message archive | +RSS feed +
+Development of third party applications that run on Haiku are discussed in this list. (e.g. new native software to run on Haiku).
diff --git a/content/security/_index.md b/content/security/_index.md new file mode 100644 index 000000000..3f88c16af --- /dev/null +++ b/content/security/_index.md @@ -0,0 +1,14 @@ ++++ +type = "article" +title = "Security Disclosure" +date = "2024-03-30T00:00:00.000Z" +tags = ["security", "CVE", "Exploit"] ++++ + +Here, Haiku documents critical security vulnerabilities which may impact users + +# Critical Vulnerabilities + +Package | CVE +---------|-------------------- +Xz | [CVE-2024-3094](/security/CVE-2024-3094) diff --git a/content/security/cve-2024-3094.md b/content/security/cve-2024-3094.md new file mode 100644 index 000000000..383e40531 --- /dev/null +++ b/content/security/cve-2024-3094.md @@ -0,0 +1,28 @@ ++++ +type = "article" +title = "CVE-2024-3094" +date = "2024-03-30T00:00:00.000Z" +tags = ["security", "CVE", "Exploit"] ++++ + +# Xz: malicious code in distributed source + +* Date: 2024-03-30 +* Severity: Critical +* Type: Authentication bypass / Remote code execution +* Source: [CVE](https://www.cve.org/CVERecord?id=CVE-2024-3094) +* Communication: Mailing Lists - haiku,haiku-developers,[haiku-security](https://freelists.org/post/haiku-security/NOTICE-Major-CVE-backdoor-in-xz-utils5611,1) + +## Description + +Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library. + +## Impacts + +While Haiku users may not be directly impacted given the Linux target for this backdoor, it's recommended to upgrade to a unaffected version as soon as possible. Haiku will closely monitor updates from the Xz team and take recommended actions. + +## HaikuPorts + +Package | Affected | Fixed | Fix +------------|---------------------|-------------------------|------------------------------ +xz_utils | xz_utils-5.6.1-1 | xz_utils-5.6.1-2 | [Update SOURCE_URI](https://github.com/haikuports/haikuports/commit/3644a3db2a0ad46971aa433c105e2cce9d141b46)