<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/90218>90218</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            Raising awareness over xz compromise
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          joycebrum
      </td>
    </tr>
</table>

<pre>
    I'm reaching out to check if you might have been using a compromised version of the xz library (versions 5.6.0 or 5.6.1). A recent security vulnerability was discovered in these versions, and I wanted to raise awareness over it to ensure no vulnerable version is being used.

Since only a few versions of linux distributions were affected (mostly testing and experimental versions), I know it is very unlikely that llvm-project got affected. But either way, since llvm actively uses xz on the released tarballs, could you please confirm if the project has directly installed xz versions 5.6.0 or 5.6.1 or either used one of the linux distribution affected versions? The linux distribution versions affected can be seen at [XZ Utils backdoor update: Which Linux distros are affected and what can you do?](https://www.helpnetsecurity.com/2024/03/31/xz-backdoored-linux-affected-distros/#:~:text=It%20has%20been%20established%20that%20XZ%20Utils%20versions%205.6.,that%20listens%20for%20SSH%20connections.)

I appreciate your time and attention to this matter.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJx0VMFu4zYQ_Rr6MoggU7JjH3RwNjAaoKemRRd7G1EjixuKNMiRZefQby-GaztZtHsxaZF88-a9R2JK9uCJGrV6UqvnBU48hNh8DxdDbZzGRRu6S_Oi9OMIkdAM1h8gTAwcwAxk3sD2cAkTjPYwMAx4ImiJPExJdiKYMB5jGG2iDk4Ukw0eQg88EJzfwdk2YryA0pvrYoJVsS5KCDFPlkpvC9hBJEOeIZGZouULnCbnKWJrnfybMUFnkwknitSB9YKf6FYwKf0F0HfwAjN6pk7YR7SJAGeM5CklkLNgc2Pk0xQJfLiXcXcssAlakt6mRF2hymdV7n78vlpvCIJ3F0Doab6Xl4ad9dNZSHK07cT580yRAPuejHBSejOGxO4CTImzer4DOh8p2pE8o_vUz1ZaeoE3H2YhbZOsXWDyzr6RQAzI4NxpfDjG8J0MwyHwvVYBTxMDWR4owowXAUuZvRwBNGxPgjIlSmJTyIJCJEcoRjLGFp3LupowuS5H4JhXwQTf2zhKMOTQrf6QPYpkpEPrE6Nz1An6L5yXyZWiSA3B0y05_xXzQ8a7RtUe_vz_vfeC90MGPbQESZKLDGr19PUb_MXWJWjRvHUhRJiOHTKpagd_D9YM8PsHcEiAn60U42ZxQHBFmi6oaq9Wz0pvBuZjUtVO6b3S-3mei4Hc0RPfsl2YMCq916Wuld6XldL7aqn0_vz-cONC3UNu6-FW8eFKI4NWqtr9o6od05lV9fzCSq90OWDKo9zOPKHE2DqbBuryf4lMnnz9lofcfp59xG6lS_FG6S_33c4mputaH2IeX19_y6MJ3pPJYS8ks58uywvg8RjJWGQSiSKwHSkrh8zks1EcgAebYJRPsVh0TdVtqy0uqFk-LutlrdfrejE0bVU_Em57syZ6rNeE5bqqVqbe4HpFG71Z2EbkLGu9XtZ1reuiqtqqb8263XSG-k2v6pJGtK6QC1CEeFjYlCZqtqVebhYOW3Ipv5Fae5ohLyqt5cmMTb5n7XRIqs5ypA8Utuyo-QPtj-fw59fm_P7peVxM0TU_h-NgeZjaax4E8jrc7rTS-0xEbM9E_w0AAP__y4n8mA">