LAB-linuxserver/cstate
1
0
Fork 0
mirror of https://github.com/linuxserver/cstate.git synced 2026-01-21 12:32:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

deploy: 7a0c376a2698bfc349465a7a3597775e26bd6d91

Browse Source
This commit is contained in:
Roxedus 2024-03-30 14:09:28 +00:00
parent 4e30cd3dd3
commit 00a5c3a056
12 changed files with 35 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
affected/vulnerabilities/index.html
View File

File diff suppressed because one or more lines are too long

2
affected/vulnerabilities/index.json
View File

@ -1 +1 @@
{"is":"system","title":"Vulnerabilities","permalink":"https://info.linuxserver.io/affected/vulnerabilities/","status":"notice","pages":[{"is":"issue","title":"Regarding CVE-2024-3094 - Supply Chain Compromise Affecting XZ Utils","createdAt":"2024-03-29 22:00:00 +0000 UTC","lastMod":"2024-03-29 20:30:57 +0000 UTC","permalink":"https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/","severity":"notice","resolved":false,"informational":false,"resolvedAt":"<no value>","affected":["Vulnerabilities"],"filename":"2024-03-29-cve-2024-3094.md"},{"is":"issue","title":"log4j Vulnerability","createdAt":"2021-12-13 15:00:00 +0000 UTC","lastMod":"2022-02-18 16:19:06 +0000 UTC","permalink":"https://info.linuxserver.io/issues/2021-12-13-log4j/","severity":"notice","resolved":true,"informational":false,"resolvedAt":"2022-02-18 18:00:00Z","affected":["Vulnerabilities","unifi-controller","booksonic-air","fleet","airsonic","habridge","nzbhydra2","davos","booksonic","ubooquity"],"filename":"2021-12-13-log4j.md"},{"is":"issue","title":"Authelia Vulnerability","createdAt":"2021-05-30 00:00:00 +0000 UTC","lastMod":"2021-05-30 16:53:02 +0100 +0100","permalink":"https://info.linuxserver.io/issues/2021-05-30-authelia/","severity":"notice","resolved":true,"informational":false,"resolvedAt":"2021-05-30","affected":["Vulnerabilities","authelia","swag"],"filename":"2021-05-30-authelia.md"}]}
{"is":"system","title":"Vulnerabilities","permalink":"https://info.linuxserver.io/affected/vulnerabilities/","status":"notice","pages":[{"is":"issue","title":"Regarding CVE-2024-3094 - Supply Chain Compromise Affecting XZ Utils","createdAt":"2024-03-29 22:00:00 +0000 UTC","lastMod":"2024-03-30 12:32:02 +0000 UTC","permalink":"https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/","severity":"notice","resolved":false,"informational":false,"resolvedAt":"<no value>","affected":["Vulnerabilities"],"filename":"2024-03-29-cve-2024-3094.md"},{"is":"issue","title":"log4j Vulnerability","createdAt":"2021-12-13 15:00:00 +0000 UTC","lastMod":"2022-02-18 16:19:06 +0000 UTC","permalink":"https://info.linuxserver.io/issues/2021-12-13-log4j/","severity":"notice","resolved":true,"informational":false,"resolvedAt":"2022-02-18 18:00:00Z","affected":["Vulnerabilities","unifi-controller","booksonic-air","fleet","airsonic","habridge","nzbhydra2","davos","booksonic","ubooquity"],"filename":"2021-12-13-log4j.md"},{"is":"issue","title":"Authelia Vulnerability","createdAt":"2021-05-30 00:00:00 +0000 UTC","lastMod":"2021-05-30 16:53:02 +0100 +0100","permalink":"https://info.linuxserver.io/issues/2021-05-30-authelia/","severity":"notice","resolved":true,"informational":false,"resolvedAt":"2021-05-30","affected":["Vulnerabilities","authelia","swag"],"filename":"2021-05-30-authelia.md"}]}

9
affected/vulnerabilities/index.xml
View File

@ -1,6 +1,9 @@
<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><link rel="alternate" type="text/html" href="https://info.linuxserver.io"/><title>Vulnerabilities on Info :: LinuxServer.io</title><link>https://info.linuxserver.io/affected/vulnerabilities/</link><description>History</description><generator>github.com/cstate</generator><language>en</language><lastBuildDate>2024-03-29T22:00:00+00:00</lastBuildDate><updated>2024-03-29T22:00:00+00:00</updated><atom:link href="https://info.linuxserver.io/affected/vulnerabilities/index.xml" rel="self" type="application/rss+xml"/><item><title>Regarding CVE-2024-3094 - Supply Chain Compromise Affecting XZ Utils</title><link>https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/</link><pubDate>Fri, 29 Mar 2024 22:00:00 +0000</pubDate><guid>https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/</guid><category/><description>A supply chain compromise has been discovered in the XZ Utils data compression library, being tracked under CVE-2024-3094, which could allow remote code execution under certain circumstances. The original report is available here if you are interested in the technical details.
We have evaluated all of our current base images for indications that they may be vulnerable to this exploit:
Our Ubuntu, Debian, and Fedora base images are using older versions of XZ Utils which do not appear to contain the vulnerable code.</description><content type="html">&lt;p>A supply chain compromise has been discovered in the XZ Utils data compression library, being tracked under &lt;a href="https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094">CVE-2024-3094&lt;/a>, which could allow remote code execution under certain circumstances. The original report is available &lt;a href="https://www.openwall.com/lists/oss-security/2024/03/29/4">here&lt;/a> if you are interested in the technical details.&lt;/p>
<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><link rel="alternate" type="text/html" href="https://info.linuxserver.io"/><title>Vulnerabilities on Info :: LinuxServer.io</title><link>https://info.linuxserver.io/affected/vulnerabilities/</link><description>History</description><generator>github.com/cstate</generator><language>en</language><lastBuildDate>2024-03-29T22:00:00+00:00</lastBuildDate><updated>2024-03-29T22:00:00+00:00</updated><atom:link href="https://info.linuxserver.io/affected/vulnerabilities/index.xml" rel="self" type="application/rss+xml"/><item><title>Regarding CVE-2024-3094 - Supply Chain Compromise Affecting XZ Utils</title><link>https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/</link><pubDate>Fri, 29 Mar 2024 22:00:00 +0000</pubDate><guid>https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/</guid><category/><description>Update - 2024-03-30 Further analysis of the exploit code indicates that it is only functional on amd64 hardware running glibc and a deb or rpm-based Linux distribution. The original CISA alert stated that the exploit could allow remote code execution, however, it remains unclear exactly what the payload was intended to do and so they have changed their description to &amp;ldquo;may allow unauthorized access to affected systems&amp;rdquo;.
As best we can tell at this point, none of our images were or are impacted by this vulnerability, but our original recommendations remain in place.</description><content type="html">&lt;h3 id="update---2024-03-30">Update - 2024-03-30&lt;/h3>
&lt;p>Further analysis of the exploit code indicates that it is only functional on amd64 hardware running glibc and a deb or rpm-based Linux distribution. The original CISA alert stated that the exploit could allow remote code execution, however, it remains unclear exactly what the payload was intended to do and so they have changed their description to &amp;ldquo;may allow unauthorized access to affected systems&amp;rdquo;.&lt;/p>
&lt;p>As best we can tell at this point, none of our images were or are impacted by this vulnerability, but our original recommendations remain in place.&lt;/p>
&lt;h3 id="original-post">Original Post&lt;/h3>
&lt;p>A supply chain compromise has been discovered in the XZ Utils data compression library, being tracked under &lt;a href="https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094">CVE-2024-3094&lt;/a>, which could allow remote code execution under certain circumstances. The original report is available &lt;a href="https://www.openwall.com/lists/oss-security/2024/03/29/4">here&lt;/a> if you are interested in the technical details.&lt;/p>
&lt;p>We have evaluated all of our current base images for indications that they may be vulnerable to this exploit:&lt;/p>
&lt;ul>
&lt;li>Our Ubuntu, Debian, and Fedora base images are using older versions of XZ Utils which do not appear to contain the vulnerable code.&lt;/li>

6
index.html
View File

File diff suppressed because one or more lines are too long

2
index.json
View File

@ -1 +1 @@
{"is":"index","cStateVersion":"5.6.1","apiVersion":"2.0","title":"Info :: LinuxServer.io","languageCodeHTML":"en","languageCode":"en","baseURL":"https://info.linuxserver.io","description":"LinuxServer.io Status page","summaryStatus":"notice","categories":[{"name":"Images","description":"Information regarding our images","hideTitle":false,"closedByDefault":false},{"name":"Security","hideTitle":false,"closedByDefault":false}],"pinnedIssues":[],"systems":[{"name":"Deprecations","category":"Images","status":"ok","unresolvedIssues":[]},{"name":"New Containers","category":"Images","status":"ok","unresolvedIssues":[]},{"name":"Vulnerabilities","category":"Security","status":"notice","unresolvedIssues":[{"is":"issue","title":"Regarding CVE-2024-3094 - Supply Chain Compromise Affecting XZ Utils","createdAt":"2024-03-29 22:00:00 +0000 UTC","lastMod":"2024-03-29 20:30:57 +0000 UTC","permalink":"https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/","severity":"notice","resolved":false,"informational":false,"resolvedAt":"<no value>","affected":["Vulnerabilities"],"filename":"2024-03-29-cve-2024-3094.md"}]},{"name":"Known Issues","category":"Images","status":"ok","unresolvedIssues":[]},{"name":"Notifications","category":"Images","status":"ok","unresolvedIssues":[]}],"buildDate":"2024-03-29","buildTime":"20:34","buildTimezone":"UTC","colorBrand":"#0a0c0f","colorOk":"#008000","colorDisrupted":"#cc4400","colorDown":"#e60000","colorNotice":"#24478f","alwaysKeepBrandColor":"true","logo":"https://info.linuxserver.io/logo.png","googleAnalytics":"UA-00000000-1"}
{"is":"index","cStateVersion":"5.6.1","apiVersion":"2.0","title":"Info :: LinuxServer.io","languageCodeHTML":"en","languageCode":"en","baseURL":"https://info.linuxserver.io","description":"LinuxServer.io Status page","summaryStatus":"notice","categories":[{"name":"Images","description":"Information regarding our images","hideTitle":false,"closedByDefault":false},{"name":"Security","hideTitle":false,"closedByDefault":false}],"pinnedIssues":[],"systems":[{"name":"Deprecations","category":"Images","status":"ok","unresolvedIssues":[]},{"name":"New Containers","category":"Images","status":"ok","unresolvedIssues":[]},{"name":"Vulnerabilities","category":"Security","status":"notice","unresolvedIssues":[{"is":"issue","title":"Regarding CVE-2024-3094 - Supply Chain Compromise Affecting XZ Utils","createdAt":"2024-03-29 22:00:00 +0000 UTC","lastMod":"2024-03-30 12:32:02 +0000 UTC","permalink":"https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/","severity":"notice","resolved":false,"informational":false,"resolvedAt":"<no value>","affected":["Vulnerabilities"],"filename":"2024-03-29-cve-2024-3094.md"}]},{"name":"Known Issues","category":"Images","status":"ok","unresolvedIssues":[]},{"name":"Notifications","category":"Images","status":"ok","unresolvedIssues":[]}],"buildDate":"2024-03-30","buildTime":"14:09","buildTimezone":"UTC","colorBrand":"#0a0c0f","colorOk":"#008000","colorDisrupted":"#cc4400","colorDown":"#e60000","colorNotice":"#24478f","alwaysKeepBrandColor":"true","logo":"https://info.linuxserver.io/logo.png","googleAnalytics":"UA-00000000-1"}

6
index.xml
View File

@ -1,4 +1,8 @@
<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Info :: LinuxServer.io</title><link>https://info.linuxserver.io/</link><description>History</description><generator>github.com/cstate</generator><language>en</language><lastBuildDate>Fri, 29 Mar 2024 22:00:00 +0000</lastBuildDate><atom:link href="https://info.linuxserver.io/index.xml" rel="self" type="application/rss+xml"/><item><title>Regarding CVE-2024-3094 - Supply Chain Compromise Affecting XZ Utils</title><link>https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/</link><pubDate>Fri, 29 Mar 2024 22:00:00 +0000</pubDate><guid>https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/</guid><category/><description>&lt;p>A supply chain compromise has been discovered in the XZ Utils data compression library, being tracked under &lt;a href="https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094">CVE-2024-3094&lt;/a>, which could allow remote code execution under certain circumstances. The original report is available &lt;a href="https://www.openwall.com/lists/oss-security/2024/03/29/4">here&lt;/a> if you are interested in the technical details.&lt;/p>
<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Info :: LinuxServer.io</title><link>https://info.linuxserver.io/</link><description>History</description><generator>github.com/cstate</generator><language>en</language><lastBuildDate>Fri, 29 Mar 2024 22:00:00 +0000</lastBuildDate><atom:link href="https://info.linuxserver.io/index.xml" rel="self" type="application/rss+xml"/><item><title>Regarding CVE-2024-3094 - Supply Chain Compromise Affecting XZ Utils</title><link>https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/</link><pubDate>Fri, 29 Mar 2024 22:00:00 +0000</pubDate><guid>https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/</guid><category/><description>&lt;h3 id="update---2024-03-30">Update - 2024-03-30&lt;/h3>
&lt;p>Further analysis of the exploit code indicates that it is only functional on amd64 hardware running glibc and a deb or rpm-based Linux distribution. The original CISA alert stated that the exploit could allow remote code execution, however, it remains unclear exactly what the payload was intended to do and so they have changed their description to &amp;ldquo;may allow unauthorized access to affected systems&amp;rdquo;.&lt;/p>
&lt;p>As best we can tell at this point, none of our images were or are impacted by this vulnerability, but our original recommendations remain in place.&lt;/p>
&lt;h3 id="original-post">Original Post&lt;/h3>
&lt;p>A supply chain compromise has been discovered in the XZ Utils data compression library, being tracked under &lt;a href="https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094">CVE-2024-3094&lt;/a>, which could allow remote code execution under certain circumstances. The original report is available &lt;a href="https://www.openwall.com/lists/oss-security/2024/03/29/4">here&lt;/a> if you are interested in the technical details.&lt;/p>
&lt;p>We have evaluated all of our current base images for indications that they may be vulnerable to this exploit:&lt;/p>
&lt;ul>
&lt;li>Our Ubuntu, Debian, and Fedora base images are using older versions of XZ Utils which do not appear to contain the vulnerable code.&lt;/li>

15
issues/2024-03-29-cve-2024-3094/index.html
View File

File diff suppressed because one or more lines are too long

2
issues/2024-03-29-cve-2024-3094/index.json
View File

@ -1 +1 @@
{"is":"issue","title":"Regarding CVE-2024-3094 - Supply Chain Compromise Affecting XZ Utils","body":"\u003cp\u003eA supply chain compromise has been discovered in the XZ Utils data compression library, being tracked under \u003ca href=\"https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094\"\u003eCVE-2024-3094\u003c/a\u003e, which could allow remote code execution under certain circumstances. The original report is available \u003ca href=\"https://www.openwall.com/lists/oss-security/2024/03/29/4\"\u003ehere\u003c/a\u003e if you are interested in the technical details.\u003c/p\u003e\n\u003cp\u003eWe have evaluated all of our current base images for indications that they may be vulnerable to this exploit:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eOur Ubuntu, Debian, and Fedora base images are using older versions of XZ Utils which do not appear to contain the vulnerable code.\u003c/li\u003e\n\u003cli\u003eOur Arch base image did contain an affected version of XZ Utils, and we have now pushed an updated build that includes a fixed version of the XZ package.\u003c/li\u003e\n\u003cli\u003eOur Alpine Edge base image did contain an affected version of XZ Utils, but did not appear to be vulnerable due to the exploit\u0026rsquo;s dependency on glibc, and we have now pushed an updated build that includes a fixed version of the XZ package.\u003c/li\u003e\n\u003cli\u003eOur other Alpine base images are using older versions of XZ Utils which do not appear to contain the vulnerable code.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eSo far the only exploitation path that has been observed is via SSH, and so in the vast majority of cases could not be exploited in any of our container environments, but we always recommend that you ensure any internet-facing containers are properly secured and kept up to date.\u003c/p\u003e\n\u003cp\u003eWe will update this post as and when more information becomes available.\u003c/p\u003e\n","createdAt":"2024-03-29 22:00:00 +0000 UTC","lastMod":"2024-03-29 20:30:57 +0000 UTC","permalink":"https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/","severity":"notice","resolved":false,"informational":false,"resolvedAt":"<no value>","affected":["Vulnerabilities"],"filename":"2024-03-29-cve-2024-3094.md"}
{"is":"issue","title":"Regarding CVE-2024-3094 - Supply Chain Compromise Affecting XZ Utils","body":"\u003ch3 id=\"update---2024-03-30\"\u003eUpdate - 2024-03-30\u003c/h3\u003e\n\u003cp\u003eFurther analysis of the exploit code indicates that it is only functional on amd64 hardware running glibc and a deb or rpm-based Linux distribution. The original CISA alert stated that the exploit could allow remote code execution, however, it remains unclear exactly what the payload was intended to do and so they have changed their description to \u0026ldquo;may allow unauthorized access to affected systems\u0026rdquo;.\u003c/p\u003e\n\u003cp\u003eAs best we can tell at this point, none of our images were or are impacted by this vulnerability, but our original recommendations remain in place.\u003c/p\u003e\n\u003ch3 id=\"original-post\"\u003eOriginal Post\u003c/h3\u003e\n\u003cp\u003eA supply chain compromise has been discovered in the XZ Utils data compression library, being tracked under \u003ca href=\"https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094\"\u003eCVE-2024-3094\u003c/a\u003e, which could allow remote code execution under certain circumstances. The original report is available \u003ca href=\"https://www.openwall.com/lists/oss-security/2024/03/29/4\"\u003ehere\u003c/a\u003e if you are interested in the technical details.\u003c/p\u003e\n\u003cp\u003eWe have evaluated all of our current base images for indications that they may be vulnerable to this exploit:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eOur Ubuntu, Debian, and Fedora base images are using older versions of XZ Utils which do not appear to contain the vulnerable code.\u003c/li\u003e\n\u003cli\u003eOur Arch base image did contain an affected version of XZ Utils, and we have now pushed an updated build that includes a fixed version of the XZ package.\u003c/li\u003e\n\u003cli\u003eOur Alpine Edge base image did contain an affected version of XZ Utils, but did not appear to be vulnerable due to the exploit\u0026rsquo;s dependency on glibc, and we have now pushed an updated build that includes a fixed version of the XZ package.\u003c/li\u003e\n\u003cli\u003eOur other Alpine base images are using older versions of XZ Utils which do not appear to contain the vulnerable code.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eSo far the only exploitation path that has been observed is via SSH, and so in the vast majority of cases could not be exploited in any of our container environments, but we always recommend that you ensure any internet-facing containers are properly secured and kept up to date.\u003c/p\u003e\n\u003cp\u003eWe will update this post as and when more information becomes available.\u003c/p\u003e\n","createdAt":"2024-03-29 22:00:00 +0000 UTC","lastMod":"2024-03-30 12:32:02 +0000 UTC","permalink":"https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/","severity":"notice","resolved":false,"informational":false,"resolvedAt":"<no value>","affected":["Vulnerabilities"],"filename":"2024-03-29-cve-2024-3094.md"}

4
issues/index.html
View File

File diff suppressed because one or more lines are too long

2
issues/index.json
View File

File diff suppressed because one or more lines are too long

9
issues/index.xml
View File

@ -1,6 +1,9 @@
<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><link rel="alternate" type="text/html" href="https://info.linuxserver.io"/><title>Issues on Info :: LinuxServer.io</title><link>https://info.linuxserver.io/issues/</link><description>History</description><generator>github.com/cstate</generator><language>en</language><lastBuildDate>2024-03-29T22:00:00+00:00</lastBuildDate><updated>2024-03-29T22:00:00+00:00</updated><atom:link href="https://info.linuxserver.io/issues/index.xml" rel="self" type="application/rss+xml"/><item><title>Regarding CVE-2024-3094 - Supply Chain Compromise Affecting XZ Utils</title><link>https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/</link><pubDate>Fri, 29 Mar 2024 22:00:00 +0000</pubDate><guid>https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/</guid><category/><description>A supply chain compromise has been discovered in the XZ Utils data compression library, being tracked under CVE-2024-3094, which could allow remote code execution under certain circumstances. The original report is available here if you are interested in the technical details.
We have evaluated all of our current base images for indications that they may be vulnerable to this exploit:
Our Ubuntu, Debian, and Fedora base images are using older versions of XZ Utils which do not appear to contain the vulnerable code.</description><content type="html">&lt;p>A supply chain compromise has been discovered in the XZ Utils data compression library, being tracked under &lt;a href="https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094">CVE-2024-3094&lt;/a>, which could allow remote code execution under certain circumstances. The original report is available &lt;a href="https://www.openwall.com/lists/oss-security/2024/03/29/4">here&lt;/a> if you are interested in the technical details.&lt;/p>
<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><link rel="alternate" type="text/html" href="https://info.linuxserver.io"/><title>Issues on Info :: LinuxServer.io</title><link>https://info.linuxserver.io/issues/</link><description>History</description><generator>github.com/cstate</generator><language>en</language><lastBuildDate>2024-03-29T22:00:00+00:00</lastBuildDate><updated>2024-03-29T22:00:00+00:00</updated><atom:link href="https://info.linuxserver.io/issues/index.xml" rel="self" type="application/rss+xml"/><item><title>Regarding CVE-2024-3094 - Supply Chain Compromise Affecting XZ Utils</title><link>https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/</link><pubDate>Fri, 29 Mar 2024 22:00:00 +0000</pubDate><guid>https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/</guid><category/><description>Update - 2024-03-30 Further analysis of the exploit code indicates that it is only functional on amd64 hardware running glibc and a deb or rpm-based Linux distribution. The original CISA alert stated that the exploit could allow remote code execution, however, it remains unclear exactly what the payload was intended to do and so they have changed their description to &amp;ldquo;may allow unauthorized access to affected systems&amp;rdquo;.
As best we can tell at this point, none of our images were or are impacted by this vulnerability, but our original recommendations remain in place.</description><content type="html">&lt;h3 id="update---2024-03-30">Update - 2024-03-30&lt;/h3>
&lt;p>Further analysis of the exploit code indicates that it is only functional on amd64 hardware running glibc and a deb or rpm-based Linux distribution. The original CISA alert stated that the exploit could allow remote code execution, however, it remains unclear exactly what the payload was intended to do and so they have changed their description to &amp;ldquo;may allow unauthorized access to affected systems&amp;rdquo;.&lt;/p>
&lt;p>As best we can tell at this point, none of our images were or are impacted by this vulnerability, but our original recommendations remain in place.&lt;/p>
&lt;h3 id="original-post">Original Post&lt;/h3>
&lt;p>A supply chain compromise has been discovered in the XZ Utils data compression library, being tracked under &lt;a href="https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094">CVE-2024-3094&lt;/a>, which could allow remote code execution under certain circumstances. The original report is available &lt;a href="https://www.openwall.com/lists/oss-security/2024/03/29/4">here&lt;/a> if you are interested in the technical details.&lt;/p>
&lt;p>We have evaluated all of our current base images for indications that they may be vulnerable to this exploit:&lt;/p>
&lt;ul>
&lt;li>Our Ubuntu, Debian, and Fedora base images are using older versions of XZ Utils which do not appear to contain the vulnerable code.&lt;/li>

2
sitemap.xml
View File

File diff suppressed because one or more lines are too long