app-arch/xz-utils: add/restore 5.4.2

This is the last release signed by Lasse Collin, the previous signer of xz-utils
releases.

Downgrade to this out of an abundance of caution. We are not aware of any issues
that *specifically* require this.

Note that the Manifest matches dfcc1f271fa3da8b8710c80737e85a7347f16ba0 from
when 5.4.2 was removed from ::gentoo in the past.

Bug: https://bugs.gentoo.org/928134
Signed-off-by: Sam James <sam@gentoo.org>

1 files changed, 10 insertions, 1 deletions

diff --git a/profiles/package.mask b/profiles/package.mask
index 7abcf6cc3031..6c0d5f5a7b23 100644
--- a/profiles/package.mask
+++ b/profiles/package.mask
@@ -34,10 +34,19 @@
 #--- END OF EXAMPLES ---
 
 # Sam James <sam@gentoo.org> (2024-03-28)
+# Newer releases were signed by a potentially compromised upstream maintainer.
+# There is no evidence that these releases contain malicious code, but masked
+# out of an abundance of caution. See bug #928134.
+>=app-arch/xz-utils-5.4.3
+
+# Sam James <sam@gentoo.org> (2024-03-28)
 # Backdoor discovered in release tarballs. DOWNGRADE NOW.
 # https://www.openwall.com/lists/oss-security/2024/03/29/4
 # https://bugs.gentoo.org/928134
->=app-arch/xz-utils-5.6.0
+~app-arch/xz-utils-5.5.1_alpha
+~app-arch/xz-utils-5.5.2_beta
+~app-arch/xz-utils-5.6.0
+~app-arch/xz-utils-5.6.1
 
 # Michał Górny <mgorny@gentoo.org> (2024-03-26)
 # Last release in 2012.  No reverse dependencies.