XZ Utils Compromised Releases

Kirill A. Korinsky kirill at korins.ky
Fri Mar 29 18:43:26 UTC 2024

On Fri, 29 Mar 2024 18:50:35 +0100,
Rainer Müller wrote:
> > In [1] they mention reverting to 5.4.5 to fix it.  It's not 100% clear
> > from that whether 5.4.6 is affected, but it sounds like it's not.  Since
> > MacPorts is currently at 5.4.6, the port is probably OK as long as it
> > doesn't do any overzealous upgrading.
> The xz port was updated to 5.6.1 just two days ago:
> https://github.com/macports/macports-ports/commit/784e59f99e51adbadc663b1b689d66363adf193a
> Based on the current information, the risk seems low for macOS system.
> Should we still be cautious and revert to version 5.4.6 and bump the
> epoch to force a downgrade for everyone? Or do we expect a new upstream
> release soon to sort this out?

Better to rollback version and communicate somehow that it is paranoia.

wbr, Kirill

More information about the macports-dev mailing list