XZ Utils Compromised Releases

Kirill A. Korinsky kirill at korins.ky
Fri Mar 29 18:43:26 UTC 2024


On Fri, 29 Mar 2024 18:50:35 +0100,
Rainer Müller wrote:
> 
> > In [1] they mention reverting to 5.4.5 to fix it.  It's not 100% clear
> > from that whether 5.4.6 is affected, but it sounds like it's not.  Since
> > MacPorts is currently at 5.4.6, the port is probably OK as long as it
> > doesn't do any overzealous upgrading.
> 
> The xz port was updated to 5.6.1 just two days ago:
> https://github.com/macports/macports-ports/commit/784e59f99e51adbadc663b1b689d66363adf193a
> 
> Based on the current information, the risk seems low for macOS system.
> Should we still be cautious and revert to version 5.4.6 and bump the
> epoch to force a downgrade for everyone? Or do we expect a new upstream
> release soon to sort this out?
> 

Better to rollback version and communicate somehow that it is paranoia.

-- 
wbr, Kirill


More information about the macports-dev mailing list