Xz/liblzma security update (post #2)

In a follow up to our original post from March 29th regarding CVE-2024-3094, we wanted to share additional information.

  • Was the vulnerable library ever in the Ubuntu 24.04 LTS (Noble Numbat) daily builds?

    • No
  • How can you be sure the affected library is gone?

    • The library itself has been removed from the proposed pocket of the archive for Noble. Due to the complex nature of build dependencies and linking, out of an abundance of caution every binary built for Noble after the malicious code was introduced (February 26th) has been deleted and is being rebuilt.
  • If Iā€™m running Ubuntu, was I ever exposed?

    • No, the library never made it into our daily image builds nor into any of our supported LTS or interim releases. Unless you manually installed the affected library, or you have deliberately configured your system to pull from noble-proposed, you were not exposed.
  • Who could still be affected?

    • Anyone who has a self-hosted repository or mirror should verify that they do not have the affected library (liblzma version 5.6.0) resident.
    • Anyone who manually updated their install of liblzma5 to the 5.6.0 version should proceed with caution and consider the system potentially compromised.

We plan to share a more detailed writeup after the dust has settled, but wanted to get these high level updates out.

25 Likes