In https://www.openwall.com/lists/oss-security/2024/03/29/4 it says
== Bug reports == Given the apparent upstream involvement I have not reported an upstream bug…. I suggest not waiting for an upstream release and instead revert our commit and add an epoch line. Blair > On Mar 29, 2024, at 10:50 AM, Rainer Müller <rai...@macports.org> wrote: > > On 29/03/2024 18.40, Fred Wright wrote: >> >> On Fri, 29 Mar 2024, Frank Dean wrote: >> >>> I received a security announcement on the Debian mailing list [1]. It >>> appears versions 5.6.0 of XY Utils and later may be compromised. I >>> also found a discussion on Openwall [2]. >>> >>> >>> [1]: >>> https://lists.debian.org/debian-security-announce/2024/msg00057.html >>> <https://lists.debian.org/debian-security-announce/2024/msg00057.html> >>> >>> [2]: https://www.openwall.com/lists/oss-security/2024/03/29/4 >>> <https://www.openwall.com/lists/oss-security/2024/03/29/4> >>> >>> >>> I'm afraid that's all I know. Just a heads-up. > > Wow. That's an awful story. > > The exploit seems to specifically target Linux systems only ("[...] it > is likely the backdoor can only work on glibc based systems."). > >> In [1] they mention reverting to 5.4.5 to fix it. It's not 100% clear >> from that whether 5.4.6 is affected, but it sounds like it's not. Since >> MacPorts is currently at 5.4.6, the port is probably OK as long as it >> doesn't do any overzealous upgrading. > > The xz port was updated to 5.6.1 just two days ago: > https://github.com/macports/macports-ports/commit/784e59f99e51adbadc663b1b689d66363adf193a > > Based on the current information, the risk seems low for macOS system. > Should we still be cautious and revert to version 5.4.6 and bump the > epoch to force a downgrade for everyone? Or do we expect a new upstream > release soon to sort this out? > > Rainer >
