top | item 39867078

(no title)

Yesterday sure was fun wasn't it :p Thanks for all your help/working with me on getting this cleaned up in Fedora.

discuss

PSA: I just noticed homebrew installed the compromised version on my Mac as a dependency of some other package. You may want to check this to see what version you get:

   xz --version

Homebrew has already taken action, a `brew upgrade` will downgrade back to the last known good version.

jonahx|1 year ago

I also had a homebrew installed affected version.

I understand it's unlikely, but is there anything I can do to check if the backdoor was used? Also any other steps I should take after "brew upgrade"?

mthoms|1 year ago

Thanks for this. I just ran brew upgrade and the result was as you described:

  xz 5.6.1 -> 5.4.6

pmarreck|1 year ago

sorry, what exact version(s) is the one(s) affected again?

(or SHAs, etc.)

(EDIT: 5.6.0 and 5.6.1 ?)

(EDIT 2: Ooof, looks like the nix unstable channel uses xz 5.6.1 at this time)

I use Nix to manage this stuff on Mac, not Homebrew...

cozzyd|1 year ago

Is it actually compromised on homebrew though? I guess we can't be sure but it seemed to be checking if it was being packaged as .deb or .rpm?

erhaetherth|1 year ago

Is 5.2.2 safe? Just 5.6.0 and 5.6.1 are bad?

w4ffl35|1 year ago

Is it normal that when I try to uninstall xz it is trying to install lzma?

inetknght|1 year ago

It means that `xz` was depended upon by something that depends on eg "xz OR lzma"