On 29/03/2024 18.52, Blair Zajac wrote: > In https://www.openwall.com/lists/oss-security/2024/03/29/4 > <https://www.openwall.com/lists/oss-security/2024/03/29/4> it says > > == Bug reports == > > Given the apparent upstream involvement I have not reported an upstream > bug…. > > > I suggest not waiting for an upstream release and instead revert our > commit and add an epoch line.
You are right. That is the best way as we cannot be sure what else just has not been discovered in the backdoor-ed releases. Joshua already pushed the downgrade to xz @5.4.6 with the epoch bumped. Thank you! https://trac.macports.org/ticket/69619 https://github.com/macports/macports-ports/commit/a1388aee09c9e921e3a9d47cf9d37e5d3f3c10ad Rainer
