CVE-2024-3094: xz-utils compromise (unstable/testing only)

[tianon]

• https://www.openwall.com/lists/oss-security/2024/03/29/4
• https://lists.debian.org/debian-security-announce/2024/msg00057.html
• https://security-tracker.debian.org/tracker/CVE-2024-3094

The most important bit (IMO) being:

Right now no Debian stable versions are known to be affected.
Compromised packages were part of the Debian testing, unstable and
experimental distributions, with versions ranging from 5.5.1alpha-0.1
(uploaded on 2024-02-01), up to and including 5.6.1-1.

Ideally I'd do a targeted rebuild of just unstable/testing, but that's a little bit complicated with the way I currently build these. 😞

There's also a stable release happening next Saturday, so we're due for a full rebuild shortly following that anyhow.

So, given that this only affects unstable and testing and only appears (AFAICT) to affect SSH and specifically SSH when invoked via systemd (which is very uncommon in containers), I do not currently plan to do a high-priority rebuild just for this. 🙇

(I will, however, continue to monitor the situation/comms to see if the situation changes such that I should reconsider.)

[tianon]

Relevant to my concerns about the point release timing, it hasn't hit the web archives yet, but there was a mail to the debian-release list just now:

Due to recent events, the point release has been postponed. A new date
will be announced when possible.

[tianon]

FWIW, I have a rebuild of just testing and unstable in-progress that I hope to get out today (in between my personal/family plans).

[tianon]

docker-library/official-images#16504