<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">I’m seeing it at 5.6.1 in our GitHub repoisory: <a href="https://github.com/macports/macports-ports/blob/master/archivers/xz/Portfile">https://github.com/macports/macports-ports/blob/master/archivers/xz/Portfile</a><div><br></div><div>We should roll it back to an older release and bump the epoch so everyone sees the rollback.</div><div><br></div><div>Blair</div><div><br><div><blockquote type="cite"><div>On Mar 29, 2024, at 10:40 AM, Fred Wright <fw@fwright.net> wrote:</div><br class="Apple-interchange-newline"><div><div><br>On Fri, 29 Mar 2024, Frank Dean wrote:<br><br><blockquote type="cite">I received a security announcement on the Debian mailing list [1]. It appears versions 5.6.0 of XY Utils and later may be compromised. I also found a discussion on Openwall [2].<br><br><br>[1]: https://lists.debian.org/debian-security-announce/2024/msg00057.html <https://lists.debian.org/debian-security-announce/2024/msg00057.html><br><br>[2]: https://www.openwall.com/lists/oss-security/2024/03/29/4 <https://www.openwall.com/lists/oss-security/2024/03/29/4><br><br><br>I'm afraid that's all I know. Just a heads-up.<br></blockquote><br>In [1] they mention reverting to 5.4.5 to fix it. It's not 100% clear from that whether 5.4.6 is affected, but it sounds like it's not. Since MacPorts is currently at 5.4.6, the port is probably OK as long as it doesn't do any overzealous upgrading.<br><br>CCing the users list so they don't panic. :-)<br><br>Fred Wright<br><br></div></div></blockquote></div><br></div></body></html>