Security issue in MacPorts 2.10.4 and older December 28, 2024
MacPorts versions 2.10.4 and older contain a vulnerability that can allow a compromised rsync mirror to add Portfiles to the synced ports tree, thus allowing arbitrary code to be executed when those Portfiles are parsed. (Note that we currently have no reason to believe that any of our mirrors have been compromised.)
The fix for this issue is included in versions 2.10.5 and later. We recommend that all users running an affected version upgrade as soon as possible.
Full details are available here. Thanks to Simon Scannell of Google’s Cloud Vulnerability Research team for discovering and analysing the issue.
The MacPorts Port Managers