summaryrefslogtreecommitdiff
path: root/profiles/package.mask
diff options
context:
space:
mode:
Diffstat (limited to 'profiles/package.mask')
-rw-r--r--profiles/package.mask11
1 files changed, 10 insertions, 1 deletions
diff --git a/profiles/package.mask b/profiles/package.mask
index 7abcf6cc3031..6c0d5f5a7b23 100644
--- a/profiles/package.mask
+++ b/profiles/package.mask
@@ -34,10 +34,19 @@
#--- END OF EXAMPLES ---
# Sam James <sam@gentoo.org> (2024-03-28)
+# Newer releases were signed by a potentially compromised upstream maintainer.
+# There is no evidence that these releases contain malicious code, but masked
+# out of an abundance of caution. See bug #928134.
+>=app-arch/xz-utils-5.4.3
+
+# Sam James <sam@gentoo.org> (2024-03-28)
# Backdoor discovered in release tarballs. DOWNGRADE NOW.
# https://www.openwall.com/lists/oss-security/2024/03/29/4
# https://bugs.gentoo.org/928134
->=app-arch/xz-utils-5.6.0
+~app-arch/xz-utils-5.5.1_alpha
+~app-arch/xz-utils-5.5.2_beta
+~app-arch/xz-utils-5.6.0
+~app-arch/xz-utils-5.6.1
# Michał Górny <mgorny@gentoo.org> (2024-03-26)
# Last release in 2012. No reverse dependencies.