Statement on backdoor in xz package
Ihsan Dogan
ihsan at opencsw.org
Tue Apr 2 15:29:48 CEST 2024
Recently, a backdoor [1] was discovered in the xz compression library. xz/liblzma [2] are packaged by the OpenCSW project and various other packages are depending on the liblzma library [3].
I have released today the version 5.6.0r529 to the repository, which is based on the 5.2.9. This is the last release before Jian Tian got active in the xz project [4] (Thanks to Jeffrey Walton for the hint). Be aware that the 5.2.9 release might contain other security related issues.
The downgrade might break ABIs to other packages and we are currently verifying, if any packages are affected by the downgrade.
I am constantly monitoring the current development about xz and I will update the package accordingly.
[1] https://www.openwall.com/lists/oss-security/2024/03/29/4 <https://www.openwall.com/lists/oss-security/2024/03/29/4>
[2] https://www.opencsw.org/packages/CSWxz/ <https://www.opencsw.org/packages/CSWxz/>
[3] https://www.opencsw.org/packages/liblzma5/ <https://www.opencsw.org/packages/liblzma5/>
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5 <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5>
Regards
Ihsan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.opencsw.org/pipermail/users/attachments/20240402/1f1dd4bf/attachment.html>
More information about the users
mailing list