I’m seeing it at 5.6.1 in our GitHub repoisory: https://github.com/macports/macports-ports/blob/master/archivers/xz/Portfile
We should roll it back to an older release and bump the epoch so everyone sees the rollback. Blair > On Mar 29, 2024, at 10:40 AM, Fred Wright <f...@fwright.net> wrote: > > > On Fri, 29 Mar 2024, Frank Dean wrote: > >> I received a security announcement on the Debian mailing list [1]. It >> appears versions 5.6.0 of XY Utils and later may be compromised. I also >> found a discussion on Openwall [2]. >> >> >> [1]: https://lists.debian.org/debian-security-announce/2024/msg00057.html >> <https://lists.debian.org/debian-security-announce/2024/msg00057.html> >> >> [2]: https://www.openwall.com/lists/oss-security/2024/03/29/4 >> <https://www.openwall.com/lists/oss-security/2024/03/29/4> >> >> >> I'm afraid that's all I know. Just a heads-up. > > In [1] they mention reverting to 5.4.5 to fix it. It's not 100% clear from > that whether 5.4.6 is affected, but it sounds like it's not. Since MacPorts > is currently at 5.4.6, the port is probably OK as long as it doesn't do any > overzealous upgrading. > > CCing the users list so they don't panic. :-) > > Fred Wright >
