XZ Utils Compromised Releases

Fred Wright fw at fwright.net
Fri Mar 29 17:40:09 UTC 2024

On Fri, 29 Mar 2024, Frank Dean wrote:

> I received a security announcement on the Debian mailing list [1].  It appears versions 5.6.0 of XY Utils and later may be compromised.  I also found a discussion on Openwall [2].
> [1]: https://lists.debian.org/debian-security-announce/2024/msg00057.html <https://lists.debian.org/debian-security-announce/2024/msg00057.html>
> [2]: https://www.openwall.com/lists/oss-security/2024/03/29/4 <https://www.openwall.com/lists/oss-security/2024/03/29/4>
> I'm afraid that's all I know.  Just a heads-up.

In [1] they mention reverting to 5.4.5 to fix it.  It's not 100% clear 
from that whether 5.4.6 is affected, but it sounds like it's not.  Since 
MacPorts is currently at 5.4.6, the port is probably OK as long as it 
doesn't do any overzealous upgrading.

CCing the users list so they don't panic. :-)

Fred Wright

More information about the macports-dev mailing list