XZ Utils Compromised Releases

Rainer Müller raimue at macports.org
Fri Mar 29 18:23:17 UTC 2024


On 29/03/2024 18.52, Blair Zajac wrote:
> In https://www.openwall.com/lists/oss-security/2024/03/29/4
> <https://www.openwall.com/lists/oss-security/2024/03/29/4> it says
> 
>     == Bug reports ==
> 
>     Given the apparent upstream involvement I have not reported an upstream
>     bug….
> 
> 
> I suggest not waiting for an upstream release and instead revert our
> commit and add an epoch line.

You are right. That is the best way as we cannot be sure what else just
has not been discovered in the backdoor-ed releases.

Joshua already pushed the downgrade to xz @5.4.6 with the epoch bumped.
Thank you!

https://trac.macports.org/ticket/69619
https://github.com/macports/macports-ports/commit/a1388aee09c9e921e3a9d47cf9d37e5d3f3c10ad

Rainer


More information about the macports-dev mailing list