I accidentally found a security issue while benchmarking postgres changes.
If you run debian testing, unstable or some other more "bleeding edge" distribution, I strongly recommend upgrading ASAP.
@AndresFreundTec Thank you so much for finding this!
The questions at the top of my mind now are: who will fork and continue maintenance of xz? How will we determine that we can trust them? And how will we apply those lessons throughout the larger ecosystem?
@gordonmessmer @AndresFreundTec i read that many projects migrate to zstd anyway ¯\_(ツ)_/¯
@malte @AndresFreundTec There's still a lot of data out there already in xz format, so merely dropping the software would mean that that data becomes unreadable. Dropping it may be an option, but I'm not sure it's the best option.
@gordonmessmer @malte @AndresFreundTec True, but xz isn't the only library capable of decoding lzma. 7-zip, for example.