xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well

Reply: Tomoaki AOKI : "Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well"
Reply: Jonathan Vasquez : "Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <henrichhartzer_at_tuta.io>
Date: Sat, 30 Mar 2024 01:15:53 UTC

Hi everyone,

I recently read through this: https://www.openwall.com/lists/oss-security/2024/03/29/4

It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is or not, but it looks like 14-stable and main have xz 5.6.0. In my opinion, earlier versions may also be suspect given that this may have been a deliberate backdoor from a maintainer.

I propose that we go back to a "known safe" version. It would probably be unwise to push 14.1 as-is, as well.

The Github repository has currently been locked out.

Hoping that someone more aware of what's going on can offer more insight.

Thanks!

-Henrich