A malicious developer added a backdoor to xz 5.6.0 and 5.6.1, and snuck it into Fedora builds. That's the same version that FreeBSD CURRENT uses. For multiple reasons we aren't vulnerable (the malicious code isn't included in xz's git repo, only its dist tarballs, the malicious code is only triggered on x86_64 linux in an rpm or deb build, and the malicious code resides in a .m4 file which our build process doesn't use). But upstream considers all of 5.6.0 to be untrustworthy and recommends that everyone to 5.4.5.
summary: https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ details: https://www.openwall.com/lists/oss-security/2024/03/29/4
