Backdoor found in xz 5.6.1
Description:
Backdoor was found in the 5.6.0 - 5.6.1 releases (ref: https://www.openwall.com/lists/oss-security/2024/03/29/4). Arch is most likely not vulnerable, as the backdoor appears to only run when built by the Debian build system or as an RPM package. Regardless, it's probably sensible to revert to the last known good release (5.4.5, judging by debian - https://security-tracker.debian.org/tracker/source-package/xz-utils), so we're not supplying users with software known to be touched by malicious actors.
Edited by Laura Hausmann