我們使用 cookie 來幫助我們改善網頁體驗。請閱讀我們的 Cookie 政策

AS-2024-002: XZ Utils

2024-04-03

Severity

Not affected

Status

Resolved


Statement

A critical security vulnerability has been discovered in XZ Utils versions 5.6.0 and 5.6.1.

None of ASUSTOR's products are affected by CVE-2024-3094 as this vulnerability only affect XZ Utils 5.6.0 and 5.6.1.


Affected Products

Product Severity Fixed Release Availability
ADM 4.2 and 4.1 Not affected N/A
ADM 4.0 Not affected N/A

Detail

  • CVE-2024-3094
    • Severity: Not affected
    • Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Reference


Revision

Revision Date Description
1 2024-04-03 Initial public release.