XZ Utils Compromised Releases

Blair Zajac blair at orcaware.com
Fri Mar 29 17:46:05 UTC 2024


I’m seeing it at 5.6.1 in our GitHub repoisory: https://github.com/macports/macports-ports/blob/master/archivers/xz/Portfile

We should roll it back to an older release and bump the epoch so everyone sees the rollback.

Blair

> On Mar 29, 2024, at 10:40 AM, Fred Wright <fw at fwright.net> wrote:
> 
> 
> On Fri, 29 Mar 2024, Frank Dean wrote:
> 
>> I received a security announcement on the Debian mailing list [1].  It appears versions 5.6.0 of XY Utils and later may be compromised.  I also found a discussion on Openwall [2].
>> 
>> 
>> [1]: https://lists.debian.org/debian-security-announce/2024/msg00057.html <https://lists.debian.org/debian-security-announce/2024/msg00057.html>
>> 
>> [2]: https://www.openwall.com/lists/oss-security/2024/03/29/4 <https://www.openwall.com/lists/oss-security/2024/03/29/4>
>> 
>> 
>> I'm afraid that's all I know.  Just a heads-up.
> 
> In [1] they mention reverting to 5.4.5 to fix it.  It's not 100% clear from that whether 5.4.6 is affected, but it sounds like it's not.  Since MacPorts is currently at 5.4.6, the port is probably OK as long as it doesn't do any overzealous upgrading.
> 
> CCing the users list so they don't panic. :-)
> 
> Fred Wright
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20240329/33a786cc/attachment.htm>


More information about the macports-dev mailing list