[Bug 284882] xz Vulnerability issues

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284882

            Bug ID: 284882
           Summary: xz Vulnerability issues
           Product: Base System
           Version: Unspecified
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: doctor@doctor.nl2k.ab.ca

I noticed that the version of xz being used is 5,54 and the current version is
5.6.4

doing a Google Search , This comes up

AI Overview

The primary difference between xz versions 5.4.5 and 5.6.4 is that 5.6.4 is a
newer version with potential security fixes and updates compared to 5.4.5,
particularly regarding a critical "backdoor" vulnerability discovered in the
5.6 series of xz utils, which could allow malicious actors to exploit systems
using this compression library; therefore, it's strongly recommended to use a
version later than 5.6.0 if possible to mitigate this risk. 
Key points about the difference:
Vulnerability:
The main concern with older versions like 5.4.5 is the potential presence of a
malicious "backdoor" discovered in the 5.6 series, which could enable
unauthorized access to systems. 
Security updates:
Version 5.6.4 is likely to include security patches addressing the "backdoor"
vulnerability, making it a more secure option. 
Functionality changes:
While security is the primary concern, there could also be minor functional
updates or bug fixes introduced between versions 5.4.5 and 5.6.4. 

URL source
https://www.google.com/search?q=differences+between+xz+5.4.5+and+5.6.4&rlz=1C1YTUH_enCA1117CA1118&oq=differences+between+xz+5.4.5+and+5.6.4&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIHCAEQABjvBTIHCAIQABjvBTIKCAMQABiiBBiJBdIBCTQ0Nzg3ajBqNKgCALACAQ&sourceid=chrome&ie=UTF-8


Any concerns?

-- 
You are receiving this mail because:
You are the assignee for the bug.