LAB-linuxserver/cstate
1
0
Fork 0
mirror of https://github.com/linuxserver/cstate.git synced 2026-02-06 20:17:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update with newer information.

Browse Source
This commit is contained in:
TheSpad 2024-03-30 12:32:02 +00:00
parent 9b18ff8163
commit fc697f16f5
No known key found for this signature in database
GPG Key ID: 08F06191F4587860
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
content/issues/2024-03-29-cve-2024-3094.md
View File

@ -8,6 +8,14 @@ affected:
section: issue
---
### Update - 2024-03-30
Further analysis of the exploit code indicates that it is only functional on amd64 hardware running glibc and a deb or rpm-based Linux distribution. The original CISA alert stated that the exploit could allow remote code execution, however, it remains unclear exactly what the payload was intended to do and so they have changed their description to "may allow unauthorized access to affected systems".
As best we can tell at this point, none of our images were or are impacted by this vulnerability, but our original recommendations remain in place.
### Original Post
A supply chain compromise has been discovered in the XZ Utils data compression library, being tracked under [CVE-2024-3094](https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094), which could allow remote code execution under certain circumstances. The original report is available [here](https://www.openwall.com/lists/oss-security/2024/03/29/4) if you are interested in the technical details.
We have evaluated all of our current base images for indications that they may be vulnerable to this exploit: