Puppy Linux Discussion Forum

https://www.openwall.com/lists/oss-secu ... 24/03/29/4
there's more around if you search
jon

further to this is apparently microsoft's reply to the problem was >

Date: Sat, 30 Mar 2024 15:11:47 -0500
From: Rob Landley <rob@landley.net>
To: toybox <toybox@lists.landley.net>
Subject: [Toybox] Microsoft github took down the xz repo.
Message-ID: <ab361ddc-3133-062e-3e43-6c5d6d8b397c@landley.net>
Content-Type: text/plain; charset=UTF-8

FYI, Microsoft Github disabled the xz repository because it became
"controversial" (I.E. there was an exploit in the news).

https://social.coop/@eb/112182149429056593

https://github.com/tukaani-project/xz

I'm assuming if toybox ever has a significant bug, microsoft would respond by
deleting the toybox repository. There's a reason that I have
https://landley.net/toybox/git on my website, and my send.sh script pushes to
that _before_ pushing to microsoft github.

Luckily the xz guys don't seem to trust microsoft github either, because the
upstream of the xz-embedded repo with the public domain code I cloned is:

https://git.tukaani.org/xz-embedded.git

Which is still available.

Rob

Default puppies seem to be safe, as 5.6.0+ is not used there. xz versions used in recent puppies:

5.4.1 Bookwormpup64-10.0.6

5.4.1 Vanilladpup-10.0.47

5.2.4 Fossapup64-9.6-4CE

5.2.5 s15pup64-22.12-240223

Older default puppies unaffected. xz was not upgraded in any of my recent remasters. 'Latest is not always greatest'.

I'm using jackal pup and there are liblzma 5.2.4 and xz-utilis 5.2.4 already installed in my package manager