From ihsan at opencsw.org Tue Apr 2 15:29:48 2024 From: ihsan at opencsw.org (Ihsan Dogan) Date: Tue, 2 Apr 2024 15:29:48 +0200 Subject: Statement on backdoor in xz package Message-ID: <7BB1038C-932C-4E55-B1F2-B60B6B86915F@opencsw.org> Recently, a backdoor [1] was discovered in the xz compression library. xz/liblzma [2] are packaged by the OpenCSW project and various other packages are depending on the liblzma library [3]. I have released today the version 5.6.0r529 to the repository, which is based on the 5.2.9. This is the last release before Jian Tian got active in the xz project [4] (Thanks to Jeffrey Walton for the hint). Be aware that the 5.2.9 release might contain other security related issues. The downgrade might break ABIs to other packages and we are currently verifying, if any packages are affected by the downgrade. I am constantly monitoring the current development about xz and I will update the package accordingly. [1] https://www.openwall.com/lists/oss-security/2024/03/29/4 [2] https://www.opencsw.org/packages/CSWxz/ [3] https://www.opencsw.org/packages/liblzma5/ [4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5 Regards Ihsan -------------- next part -------------- An HTML attachment was scrubbed... URL: