[liblzma] port uses compromised version

[marekr]

Describe the bug
vcpkg updated liblzma to 5.6.0. This version is known as compromised and backdoored

https://nvd.nist.gov/vuln/detail/CVE-2024-3094
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

This is a solid 10.0 CVE score vulnerability

vcpkg should immediately revert from 5.6.0

[MichaelCurrie]

This PR already addresses the issue by downgrading xz version, but it still leaves the build broken because the entire xz repo has been disabled by GitHub so ALL versions are blocked.

So, to fix your build, run git pull to sync that fix, and then make this unofficial one-liner change to grab xz from an unofficial mirror.

Then building will work again:

.\vcpkg install liblzma:x64-windows

[carsten-grimm]

This PR already addresses the issue by downgrading xz version, but it still leaves the build broken because the entire xz repo has been disabled by GitHub so ALL versions are blocked.

So, to fix your build, run git pull to sync that fix, and then make this unofficial one-liner change to grab xz from an unofficial mirror.

Then building will work again:

.\vcpkg install liblzma:x64-windows

If you are using vcpkg in manifest mode with a builtin baseline, you can use an overlay port to implement the suggestion by @MichaelCurrie .

[dg0yt]

to implement the suggestion by @MichaelCurrie

... until that fork is taken down for the same reasons as the official repo.

[carsten-grimm]

to implement the suggestion by @MichaelCurrie

... until that fork is taken down for the same reasons as the official repo.

Yes. I am sure the folks involved do not make these decisions lightly. I hope there will be an actual solution soon.

[Neustradamus]

The official XZ team announcement is here:

• https://tukaani.org/xz-backdoor/

Important to know: There is no problem with contributors here like @carsten-grimm.

But several people mix all because I have requested the XZ update in vcpkg.
I have received a lot of bad messages (private and public).
I have no link with XZ project, I follow only the project and do announcement or/and update requests.
I have requested 5.4.5 and 5.6.0 because there was only 5.4.4 in vcpkg.

@gowthamgts has participated on Reddit against me badly and I have commented on two places where he has commented (on my SCRAM request publications):

• duesee/imap-flow#96 (comment)
• marlam/msmtp#36 (comment)

You can look here the original comment:

• https://news.ycombinator.com/item?id=39871685
• All the XZ backdoor story on Reddit is here: https://news.ycombinator.com/item?id=39865810

You can follow my announcements here:

• https://mastodon.social/@neustradamus
• https://twitter.com/neustradamus
• https://bsky.app/profile/neustradamus.bsky.social
• https://news.ycombinator.com/user?id=neustradamus

The good point, people speak about SCRAM "Salted Challenge Response Authentication Mechanism" security ;)

• scram-sasl/info#1

Badly, some people or projects like only old unsecure mechanisms, some would like security improvements.

cc: @duesee, @canselcik, @WinkelCode, @timrobbins1, @sebpretzer, @sroussey, @masklinn, @Asmor (not sure).