XZ Utils Compromised Releases
Rainer Müller
raimue at macports.org
Fri Mar 29 18:23:17 UTC 2024
On 29/03/2024 18.52, Blair Zajac wrote:
> In https://www.openwall.com/lists/oss-security/2024/03/29/4
> <https://www.openwall.com/lists/oss-security/2024/03/29/4> it says
>
> == Bug reports ==
>
> Given the apparent upstream involvement I have not reported an upstream
> bug….
>
>
> I suggest not waiting for an upstream release and instead revert our
> commit and add an epoch line.
You are right. That is the best way as we cannot be sure what else just
has not been discovered in the backdoor-ed releases.
Joshua already pushed the downgrade to xz @5.4.6 with the epoch bumped.
Thank you!
https://trac.macports.org/ticket/69619
https://github.com/macports/macports-ports/commit/a1388aee09c9e921e3a9d47cf9d37e5d3f3c10ad
Rainer
More information about the macports-dev
mailing list