Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well
Date: Sat, 30 Mar 2024 21:53:48 UTC
Thanks for sending this Henrich. For whatever reason I thought I was already subscribed to @security but I wasn’t… this has been resolved :). On Fri, Mar 29, 2024 at 21:15, <[henrichhartzer@tuta.io](mailto:On Fri, Mar 29, 2024 at 21:15, <<a href=)> wrote: > Hi everyone, > > I recently read through this: https://www.openwall.com/lists/oss-security/2024/03/29/4 > > It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is or not, but it looks like 14-stable and main have xz 5.6.0. In my opinion, earlier versions may also be suspect given that this may have been a deliberate backdoor from a maintainer. > > I propose that we go back to a "known safe" version. It would probably be unwise to push 14.1 as-is, as well. > > The Github repository has currently been locked out. > > Hoping that someone more aware of what's going on can offer more insight. > > Thanks! > > -Henrich