Skip to main content

Curious how everybody is remediating that new supply chain vulnerability for XZ.  

My security team sent me this link - xz-backdoor-attack 

I'm guessing an EA to locate non-patched versions, but what about deploying/updating the version?  I'm guessing a lot of them were done using brew.  

 

I ran a ‘which xz’ on all devices with brew installed and only a few had it installed.. brew update downgrades it.

not that it an actual issue on macOS 


I'm not a security expert, but according to this, it's only a vulnerability on Linux distros not BSD like macOS.

https://lwn.net/Articles/968084/

https://www.reddit.com/r/cybersecurity/comments/1btz1w6/mac_os_running_homebrew_may_be_vulnerable_to_the/

 


@ImAMacGuy afaik macOS is not really impacted.
But since xt 5.6.0 and 5.6.1 have been taken off homebrew as well, I decided to run a script that let brew update (well, actually downgrade in this case) xz to the latest recommended version.

If you are interested, have look at this: https://github.com/adibue/brew-xz-patcher/