Skip to content

Commit 71eba29

Browse files
frezbofrezbo
committed
fix: xz vulnerability
This downgrades xz version to `v5.4.5` which is the same version other distros have downgraded to. Sidero repos are not affected, just downgrading as a safe precaution. Ref: https://www.openwall.com/lists/oss-security/2024/03/29/4 Also pulls in the latest stable toolchain. Signed-off-by: Noel Georgi <[email protected]>
1 parent 7e1b2d8 commit 71eba29

File tree

2 files changed

+7
-5
lines changed

2 files changed

+7
-5
lines changed

Pkgfile

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
format: v1alpha2
66

77
vars:
8-
TOOLCHAIN_IMAGE: ghcr.io/siderolabs/toolchain:v0.11.0-alpha.0-5-g33d73a0
8+
TOOLCHAIN_IMAGE: ghcr.io/siderolabs/toolchain:v0.11.0
99

1010
# renovate: datasource=github-releases depName=abseil/abseil-cpp
1111
abseil_version: 20240116.1
@@ -340,9 +340,10 @@ vars:
340340
util_linux_sha512: a2de1672f06ca5d2d431db1265a8499808770c3781019ec4a3a40170df4685826d8e3ca120841dcc5df4681ca8c935a993317bd0dc70465b21bf8e0efef65afa
341341

342342
# renovate: datasource=github-releases depName=tukaani-project/xz
343-
xz_version: v5.6.1
344-
xz_sha256: f334777310ca3ae9ba07206d78ed286a655aa3f44eec27854f740c26b2cd2ed0
345-
xz_sha512: a8b6d2e58eb61609a64b182e868c47aaf722d34f87bad3a9598c94ad96fb3357477959a95bb215c1dac59b8c84453cf00dc23669d13358f4aeb5123526f741f2
343+
# NOTE: using 5.4.5 the version debian downgraded to. Ref: https://www.openwall.com/lists/oss-security/2024/03/29/4
344+
xz_version: v5.4.5
345+
xz_sha256: da9dec6c12cf2ecf269c31ab65b5de18e8e52b96f35d5bcd08c12b43e6878803
346+
xz_sha512: 5cbc3b5bb35a9f5773ad657788fe77013471e3b621c5a8149deb7389d48535926e5bed103456fcfe5ecb044b236b1055b03938a6cc877cfc749372b899fc79e5
346347

347348
# renovate: datasource=github-tags extractVersion=^v(?<version>.*)$ depName=madler/zlib
348349
zlib_version: 1.3.1

xz/pkg.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,8 @@ dependencies:
88
- stage: libtool
99
steps:
1010
- sources:
11-
- url: https://github.com/tukaani-project/xz/releases/download/{{ .xz_version }}/xz-{{ .xz_version | replace "v" "" }}.tar.xz
11+
# - url: https://github.com/tukaani-project/xz/releases/download/{{ .xz_version }}/xz-{{ .xz_version | replace "v" "" }}.tar.xz
12+
- url: https://src.fedoraproject.org/lookaside/pkgs/xz/xz-5.4.5.tar.xz/sha512/5cbc3b5bb35a9f5773ad657788fe77013471e3b621c5a8149deb7389d48535926e5bed103456fcfe5ecb044b236b1055b03938a6cc877cfc749372b899fc79e5/xz-5.4.5.tar.xz
1213
destination: xz.tar.xz
1314
sha256: "{{ .xz_sha256 }}"
1415
sha512: "{{ .xz_sha512 }}"

0 commit comments

Comments
 (0)