Bug#1068107: cloud.debian.org: pull images with compromised xz packages

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1068107: cloud.debian.org: pull images with compromised xz packages
From: Ross Vandegrift <rvandegrift@debian.org>
Date: Sat, 30 Mar 2024 12:44:35 -0700
Message-id: <[🔎] 171182787557.3527.17754447414782003693.reportbug@stgulik.kallisti.us>
Reply-to: Ross Vandegrift <rvandegrift@debian.org>, 1068107@bugs.debian.org

Package: cloud.debian.org
Severity: important
X-Debbugs-Cc: rvandegrift@debian.org

Hi team,

We should probably pull the daily sid and trixie images built with the
compromised xz-utils.  Looking at the json manifests, this would be:

  sid: all images since 2024-02-27 
  trixie: 2024-03-05 through 2024-03-28, inclusive

I determined these dates by looking at the azure amd64 manifest, since it's
first in the dir listing.  I haven't looked into why the sid builds still say
they include liblzma5 5.6.0-0.2.

Finally, apologies for not being able to do this myself - I still do not have
my account setup for access to core machines.

Ross

Reply to:

Prev by Date: Processed: block 1059933 with 1068095
Previous by thread: Processed: block 1059933 with 1068095
Index(es):
- Date
- Thread