XZ Utils Compromised Releases

Rainer Müller raimue at macports.org
Fri Mar 29 18:23:17 UTC 2024

On 29/03/2024 18.52, Blair Zajac wrote:
> In https://www.openwall.com/lists/oss-security/2024/03/29/4
> <https://www.openwall.com/lists/oss-security/2024/03/29/4> it says
>     == Bug reports ==
>     Given the apparent upstream involvement I have not reported an upstream
>     bug….
> I suggest not waiting for an upstream release and instead revert our
> commit and add an epoch line.

You are right. That is the best way as we cannot be sure what else just
has not been discovered in the backdoor-ed releases.

Joshua already pushed the downgrade to xz @5.4.6 with the epoch bumped.
Thank you!



More information about the macports-dev mailing list