XZ Utils Compromised Releases
Kirill A. Korinsky
kirill at korins.ky
Fri Mar 29 18:43:26 UTC 2024
On Fri, 29 Mar 2024 18:50:35 +0100,
Rainer Müller wrote:
>
> > In [1] they mention reverting to 5.4.5 to fix it. It's not 100% clear
> > from that whether 5.4.6 is affected, but it sounds like it's not. Since
> > MacPorts is currently at 5.4.6, the port is probably OK as long as it
> > doesn't do any overzealous upgrading.
>
> The xz port was updated to 5.6.1 just two days ago:
> https://github.com/macports/macports-ports/commit/784e59f99e51adbadc663b1b689d66363adf193a
>
> Based on the current information, the risk seems low for macOS system.
> Should we still be cautious and revert to version 5.4.6 and bump the
> epoch to force a downgrade for everyone? Or do we expect a new upstream
> release soon to sort this out?
>
Better to rollback version and communicate somehow that it is paranoia.
--
wbr, Kirill
More information about the macports-dev
mailing list