Request
The version of xz/liblzma currently used in the core is outdated and potentially vulnerable. To enhance security and prevent exposure to high-severity CVEs.
Vulnerability Details:
- CVE-2024-3094
- Severity: Critical (Score: 10.0)
- Affects: xz versions 5.6.0 and 5.6.1 only
- Risk: Accidental future upgrades could unknowingly introduce this vulnerability.
- CVE-2025-31115
- Severity: High (Score: 8.7)
- Affects: xz version 5.3.3alpha to 5.8.0
- Risk: vulnerable to the CVE if not upgraded to 5.8.1 or later
Possible implementation
Recommended Action:
- Upgrade to
xz ≥ 5.8.1 to fully mitigate both vulnerabilities at the same time.
- Optionally add version checks in build/config scripts to prevent regression into vulnerable versions.
Request
The version of
xz/liblzmacurrently used in the core is outdated and potentially vulnerable. To enhance security and prevent exposure to high-severity CVEs.Vulnerability Details:
Possible implementation
Recommended Action:
xz≥ 5.8.1 to fully mitigate both vulnerabilities at the same time.