Security warning: xz-utils had a supply chain attack, please check if/how your app is affected
porg opened this issue · comments
porg commented
I wanted to inform you asap as my favorite compression utility about this recent supply chain attack on xz:
https://en.wikipedia.org/wiki/XZ_Utils#Supply_chain_attack
- I'm not sure whether you integrate xz or its library or make calls to the system wide installed library
- Better inform than not to inform.
Regards, porg
aONe commented
Thanks a lot for the info @porg! Keka currently is using 5.4.5 xz and liblzma versions, so it should not be affected. I’ll wait to update the version until this is fixed, hopefully very soon.
Anyway no system resources use the bundled liblzma in Keka, that is also sandboxed without network capabilities. Let’s see how this evolves.
aONe commented
Will be updating to the latest v5.6.2
in the next revision. Glad the issue did not escalated further.