From 1c3d353e2333e8a21b8f021b1c62b703c62a2e57 Mon Sep 17 00:00:00 2001
From: Fayas Ahamed <fayasmech@gmail.com>
Date: Tue, 2 Apr 2024 22:47:13 +0400
Subject: [PATCH] docs: xz-utils security advisory (#2557)

* CVE - XZ utils

* xz-utils security advisory
- update impact statement
- add ubuntu security advisory

* xz-utils security advisory - list all OS

* xz-utils security advisory - change uses to supports

* xz-utils security advisory - change images to distributions

* xz-utils security advisory - address review comments

* docs: language tocuh-up

* chore: fixed utlity term

---------

Co-authored-by: alagujeeva <alagujeeva22@gmail.com>
Co-authored-by: Karl Cardenas <karl@spectrocloud.com>
---
 .../security-bulletins/cve-reports.md         | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/docs/docs-content/security-bulletins/cve-reports.md b/docs/docs-content/security-bulletins/cve-reports.md
index 328144a6a9..64389b3e3b 100644
--- a/docs/docs-content/security-bulletins/cve-reports.md
+++ b/docs/docs-content/security-bulletins/cve-reports.md
@@ -32,6 +32,41 @@ _Are there any links users can visit to find out more?_
 
 -->
 
+## April 2, 2024 - CVE-2024-3094 Malicious Code in XZ Utility - 10 CVSS
+
+Malicious code was discovered in the upstream tarballs of the XZ utility, starting with version 5.6.0, contain malicious
+code. This code is hidden within a test file in the source code and is extracted by the liblzma build process. The code
+then modifies specific functions in the liblzma library, resulting in a modified version of the library. Any software
+that links against this modified library may have its data interaction intercepted and modified. You can learn more
+about the vulnerability in the [CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094) reference page.
+
+#### Impact
+
+No impact. None of the OS distributions supported by Palette use the impacted versions of the XZ utils package. Below
+are the links to the security advisories for all the Palette supported OS distributions:
+
+- [Ubuntu 20.04, 22.04, 23.10](https://ubuntu.com/security/CVE-2024-3094)
+- [RHEL 8](https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users)
+- [OpenSUSE Leap](https://www.suse.com/c/suse-addresses-supply-chain-attack-against-xz-compression-library/)
+- [SLE Micro](https://www.suse.com/c/suse-addresses-supply-chain-attack-against-xz-compression-library/)
+
+#### Patches
+
+Not Applicable
+
+### Workarounds
+
+Not Applicable
+
+#### References
+
+- [CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094)
+- [Ubuntu CVE Disclosure](https://ubuntu.com/security/CVE-2024-3094)
+- [RedHat CVE Disclosure](https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users)
+- [SUSE CVE Disclosure](https://www.suse.com/c/suse-addresses-supply-chain-attack-against-xz-compression-library/)
+
+<br />
+
 ## January 10, 2024 - CVE-2023-39323 Bypass CGO Restrictions - 8.1 CVSS
 
 Line directives `//line` can be used to bypass the restrictions on `//go:cgo_` directives, allowing blocked linker and