xz and libarchive: investigate for CVE-2024-3094
https://nvd.nist.gov/vuln/detail/CVE-2024-3094
xz has been found to contain a backdoor: https://www.openwall.com/lists/oss-security/2024/03/29/4
CMake vendors 5.2.5, which should be fine to use according to the information at time, but great care must be taken in case of a future update.
The author of the backdoor has also contributed suspicious code to the libarchive project (https://github.com/libarchive/libarchive/commit/e37efc16c8665f405182dd77eb1bbb32376f5484), so that should also be kept an eye on.