CVE-2024-3094: Malicious code in xz 5.6.0 and 5.6.1 tarballs

I’m also wondering about this. I saw a post on hackernews saying that there was downsides like stuff being impure.

1 Like

FYI, the downgrade of xz is in nixpkgs master now. *-linux binaries are basically all there.

13 Likes

hey, that didn’t take too long at all!

heads up that the PR reverting xz is now in nixos-unstable and nixpkgs-unstable https://nixpk.gs/pr-tracker.html?pr=300028

11 Likes

This prompted us to add support for content addressable store to Cachix and see how much it would help with saving the rebuilds. I’ll report back once we have some results.

19 Likes

@domenkozar Do you have any results by now?

4 Likes