Re: XZ Utils Compromised Releases

2024-03-29 Thread Fred Wright
On Fri, 29 Mar 2024, Blair Zajac wrote: I’m seeing it at 5.6.1 in our GitHub repoisory: https://github.com/macports/macports-ports/blob/master/archivers/xz/Portfile Ah, OK. The 5.4.6 was based on a selfupdate from two days ago. On Mar 29, 2024, at 10:40 AM, Fred Wright wrote: CCing

Re: XZ Utils Compromised Releases

2024-03-29 Thread Kirill A . Korinsky
On Fri, 29 Mar 2024 18:50:35 +0100, Rainer Müller wrote: > > > In [1] they mention reverting to 5.4.5 to fix it.  It's not 100% clear > > from that whether 5.4.6 is affected, but it sounds like it's not.  Since > > MacPorts is currently at 5.4.6, the port is probably OK as long as it > > doesn't

Re: XZ Utils Compromised Releases

2024-03-29 Thread Joshua Root
A friendly reminder: if there's an issue, please file a ticket! The one exception to that is if there's a vulnerability that has not been made public, in which case contacting the port maintainer and possibly portmgr privately is appropriate. Discussing issues on the mailing lists,

Re: XZ Utils Compromised Releases

2024-03-29 Thread Rainer Müller
On 29/03/2024 18.52, Blair Zajac wrote: > In https://www.openwall.com/lists/oss-security/2024/03/29/4 >  it says > > == Bug reports == > > Given the apparent upstream involvement I have not reported an upstream > bug…. > > >

Re: XZ Utils Compromised Releases

2024-03-29 Thread Blair Zajac
In https://www.openwall.com/lists/oss-security/2024/03/29/4 it says == Bug reports == Given the apparent upstream involvement I have not reported an upstream bug…. I suggest not waiting for an upstream release and instead revert our commit and add an epoch line. Blair > On Mar 29, 2024, at

Re: XZ Utils Compromised Releases

2024-03-29 Thread Rainer Müller
On 29/03/2024 18.40, Fred Wright wrote: > > On Fri, 29 Mar 2024, Frank Dean wrote: > >> I received a security announcement on the Debian mailing list [1].  It >> appears versions 5.6.0 of XY Utils and later may be compromised.  I >> also found a discussion on Openwall [2]. >> >> >> [1]: >>

Re: XZ Utils Compromised Releases

2024-03-29 Thread Blair Zajac
I’m seeing it at 5.6.1 in our GitHub repoisory: https://github.com/macports/macports-ports/blob/master/archivers/xz/Portfile We should roll it back to an older release and bump the epoch so everyone sees the rollback. Blair > On Mar 29, 2024, at 10:40 AM, Fred Wright wrote: > > > On Fri,

Re: XZ Utils Compromised Releases

2024-03-29 Thread Fred Wright
On Fri, 29 Mar 2024, Frank Dean wrote: I received a security announcement on the Debian mailing list [1]. It appears versions 5.6.0 of XY Utils and later may be compromised. I also found a discussion on Openwall [2]. [1]:

XZ Utils Compromised Releases

2024-03-29 Thread Frank Dean
I received a security announcement on the Debian mailing list [1]. It appears versions 5.6.0 of XY Utils and later may be compromised. I also found a discussion on Openwall [2]. [1]: https://lists.debian.org/debian-security-announce/2024/msg00057.html