Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well

From: Jonathan Vasquez <jon_at_xyinn.org>
Date: Sat, 30 Mar 2024 21:53:48 UTC
Thanks for sending this Henrich. For whatever reason I thought I was already subscribed to @security but I wasn’t… this has been resolved :).

On Fri, Mar 29, 2024 at 21:15, <[henrichhartzer@tuta.io](mailto:On Fri, Mar 29, 2024 at 21:15,  <<a href=)> wrote:

> Hi everyone,
>
> I recently read through this: https://www.openwall.com/lists/oss-security/2024/03/29/4
>
> It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is or not, but it looks like 14-stable and main have xz 5.6.0. In my opinion, earlier versions may also be suspect given that this may have been a deliberate backdoor from a maintainer.
>
> I propose that we go back to a "known safe" version. It would probably be unwise to push 14.1 as-is, as well.
>
> The Github repository has currently been locked out.
>
> Hoping that someone more aware of what's going on can offer more insight.
>
> Thanks!
>
> -Henrich