Hey. Can we be confidently sure that going back to 5.4.5 is enough?
At least the git tag for that seems to be still signed by the adversary: https://git.tukaani.org/?p=xz.git;a=tag;h=9e4835399118b98954f110f76af2a0d504d2f531 The last one, still from Lasse Collin seems to be 5.4.1: https://git.tukaani.org/?p=xz.git;a=tag;h=f52502e78bf84f516a739e8d8a1357f27eeea75f Cheers, Chris.