kelson42
commented
4 months ago @Jaifroid Thank you for this bug report, very interesting, at so much levels. Currently we distribute binaries with version 5.2.6 of libzma which has been published the 2022-08-12. Weaknesses have been introduced from 2023, so I guess we are not impacted.
I believe Kiwix may use a "frozen" version of XZ, but we should check that it isn't compromised by the recently discovered back door. See for example https://thehackernews.com/2024/03/urgent-secret-backdoor-found-in-xz.html and for a detailed timeline https://boehs.org/node/everything-i-know-about-the-xz-backdoor.