XZ Utils Compromised Releases
Fred Wright
fw at fwright.net
Fri Mar 29 17:40:09 UTC 2024
On Fri, 29 Mar 2024, Frank Dean wrote:
> I received a security announcement on the Debian mailing list [1]. It appears versions 5.6.0 of XY Utils and later may be compromised. I also found a discussion on Openwall [2].
>
>
> [1]: https://lists.debian.org/debian-security-announce/2024/msg00057.html <https://lists.debian.org/debian-security-announce/2024/msg00057.html>
>
> [2]: https://www.openwall.com/lists/oss-security/2024/03/29/4 <https://www.openwall.com/lists/oss-security/2024/03/29/4>
>
>
> I'm afraid that's all I know. Just a heads-up.
In [1] they mention reverting to 5.4.5 to fix it. It's not 100% clear
from that whether 5.4.6 is affected, but it sounds like it's not. Since
MacPorts is currently at 5.4.6, the port is probably OK as long as it
doesn't do any overzealous upgrading.
CCing the users list so they don't panic. :-)
Fred Wright
More information about the macports-dev
mailing list