diff --git a/changelog/security/2024-04-02-xz-utils.md b/changelog/security/2024-04-02-xz-utils.md
new file mode 100644
index 00000000000..78553319eb6
--- /dev/null
+++ b/changelog/security/2024-04-02-xz-utils.md
@@ -0,0 +1 @@
+- Downgraded xz-utils to 5.4.2 as precaution even though Flatcar is not affected of the SSH backdoor ([CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094))
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest
index 37e141bbd96..ec1a06d7c64 100644
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/Manifest
@@ -1,12 +1,4 @@
-DIST xz-5.2.11.tar.gz 2130684 BLAKE2B e513f99b2e28fa79f32747e21138cc13ab9340e95a302ac742bc6bda088465488173ea212704c4612f4059bbbc6c6a5b041332d84b999dc7df5b3fab1b1ac4e9 SHA512 8f75450380563229465420f4518fa7a60bbe6f0c9a3b580c2a9a7bf9bf380ad69209f792764115c346d89c49711478e8db42325ef9a46ccd3a6ec72292890ac8
-DIST xz-5.2.11.tar.gz.sig 566 BLAKE2B 34186ea22960f508dd796736107b99e1e3884ffae683f26671f455e46e4debf87400f2d7bb64b446fb142370a8bcebc6c05dce34dcc2678a761b9401b1e23860 SHA512 036ed0f663e179057a805a41052d3e437fbfb9dbbe173c5180fbb255f5a01ac4fa2561424228f4e568e63b22802b3a4ffd88dec2ba7c41a454998ebea30bea7c
-DIST xz-5.2.12.tar.gz 2190541 BLAKE2B 9ca5ecf753ae264f542ec53b4c9a1c85466bc2a932651aafb0ae2a3ebb7d3979a9384e9a81f16173c2d6d14ca8b86e4a820191817675a5e9fd214a64cf364c98 SHA512 1a67112eb1cfd70352c41a1cbb5e34eacd6da2ae816f5020385772a7698b835d059843c2c30461beb15b7514e95906b2033dac6abf09248b5837270420dfe732
-DIST xz-5.2.12.tar.gz.sig 566 BLAKE2B 93d0fb89186ccf018d17278823c2c6cc724798acfe425fd01ecf54338e53451d94b1ad951f2f1ec58171a3eb827fcd6b5d9dcb97da72c5d8545d57d9fba0597b SHA512 0734e1838dd9ab7ba06675af0f4ff5866c0e5c268f0c3e2ca6f12fa8f27b41830d11063244b0039f8d8ba184efc1c1b7b9a7311c378a02abc1290d7727357cb6
 DIST xz-5.4.2.tar.gz 2799022 BLAKE2B 3c622b0823f0cbb5fbc5eaa0372fc2f0fefe0950d131417f831bce47b6d9747d145429f0649de106819331f9ae6a289c497182c7b6d1e211513308dd083a9b72 SHA512 149f980338bea3d66de1ff5994b2b236ae1773135eda68b62b009df0c9dcdf5467f8cb2c06da95a71b6556d60bd3d21f475feced34d5dfdb80ee95416a2f9737
 DIST xz-5.4.2.tar.gz.sig 566 BLAKE2B 95c9c70fdd25b92095dd9691e4d9d4306a3f982becfe7bd42ca6132a76f29be2c2bc66f4fc2bda547058c18e227292f4185799eb905084fc3ab415ae867b4b1b SHA512 30e965c228ed3a8ecb804db8eb11703a765b7ee934030ea69bb3940b630811eb71bf74fd20371ef7759761904ece4f0144a0b00be4d843cf98299fd016f161aa
-DIST xz-5.4.3.tar.gz 2869347 BLAKE2B c4192a59ca751567ebab17e08e72aa1bf0f5ca14af0b59fded1c4dff02c1b76ab30119a4138932f78f69bd4b7827071c81d6ca1c56be65491466ea061786ed78 SHA512 aff0fe166af6df4491a6f5df2372cab100b081452461a0e8c6fd65b72af3f250f16c64d9fb8fd309141e9b9ae4e41649f48687cc29e63dd82f27f2eab19b4023
-DIST xz-5.4.3.tar.gz.sig 566 BLAKE2B 1e3f86a2de532e77cae4c31928d57edeac81ca207e03c71523210605dc6bab76a50793697a242b232f74911c6e1872a0339ed977e2dd0d201504bd859fd3b4f4 SHA512 b7c7eedf4d9604ee50ec97275e5ab57e22a567402815281440ca765210c75707bd2de20e7ebfb0842725690ae19557916fc41a9fbdace5fec8190632b038292e
-DIST xz-5.4.4.tar.gz 2874706 BLAKE2B 0ade3767651a07a6bb4d53b510d7e97239e182788c42bc3388b97c54463ccaa968e27bcb88d34697df70381eea91279615f2622b5493ae2da22632e9576d8989 SHA512 2e27d864c9f346e53afc549d7046385b5d35a749af15d84f69de14612657df2f0e2ce71d3be03d57adadf8fd28549ecf4ef1c214bdcd1f061b5a47239e0104e8
-DIST xz-5.4.4.tar.gz.sig 566 BLAKE2B 9d695293fe479e07b4051f9b22af19191ec7cb5063da519769a24a08cff46819a4f29db002cea92e4af982410dd660d9b3185c8ef0908abbf13b86f89c0baa0f SHA512 6f12f0b30e4e5c78238f5d758443621d4126edf5ec8d02c51f06cc27e40822f0429c2018ec567eae20d118a81295f9d31e2f9101720d289bebab15f72590e9f2
-DIST xz-5.4.5.tar.gz 2884510 BLAKE2B 647c8227080a7f37e3321e778d7f52ccb9da3810f2be81b2d2b46001605b22cef6e724f9b3facfada26a12b24401c9a11449d6066443849b37b28e0eaa199315 SHA512 91f8f548c915de0ed79cee13ce0336b51c1cebf2eb142fa1efecfd07771c662c99cad3730540fcb712057ab274130e13b87960f6b4c62f0bd9477f27a303fb2b
-DIST xz-5.4.5.tar.gz.sig 566 BLAKE2B c6ec64f92ecb30395e6d580be5d0aad1ee007585245ed42e7b05f1ea3a8cd8bf4317e8dc964c65417daa0a04e8f523c6ba8ae61a7f5b2ff3dc17dd53c7593ce2 SHA512 4f2c779d3c14bacd0451cfd68846201a48931128994c4119fcbf4f0dd7331710c32098039d38561de29327d543d67174fddbb6a83cb2fcfda9b3153cab092d4d
+DIST xz-5.4.6.tar.gz 2889306 BLAKE2B f0bbd33ea7cd64d475c3501f6e76080c8c0080e377f23462f5f76459935f4e621538ddaa8452d2feaed278d62a596e38ed2aca18ed9e76512c4ec77fa2f4cc5f SHA512 b08a61d8d478d3b4675cb1ddacdbbd98dc6941a55bcdd81a28679e54e9367d3a595fa123ac97874a17da571c1b712e2a3e901c2737099a9d268616a1ba3de497
+DIST xz-5.4.6.tar.gz.sig 566 BLAKE2B 808f1b5e2a17729f36a05ba88a9c00210cda2afa02923e6f289d13dc2a48f7674cafec6e25660e142d67f01dd941c7390cee2757b054df3a3193dde0791363a1 SHA512 d5e32b944e7492a32c40f675d918796e077f63490a23c6fce5c4d6d1eebc443f129d27a2e888913c5a36c3ffdac75b9c96c1749402283445e0ba9ff72b965741
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/files/xz-utils-5.4.2-Wsign-conversion.patch b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/files/xz-utils-5.4.2-Wsign-conversion.patch
deleted file mode 100644
index 217cc759a90..00000000000
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/files/xz-utils-5.4.2-Wsign-conversion.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-https://github.com/tukaani-project/xz/commit/0673c9ec98b6bae12b33dc295564514aaa26e2fc
-
-From 0673c9ec98b6bae12b33dc295564514aaa26e2fc Mon Sep 17 00:00:00 2001
-From: Lasse Collin <lasse.collin@tukaani.org>
-Date: Sun, 19 Mar 2023 22:45:59 +0200
-Subject: [PATCH] liblzma: Silence -Wsign-conversion in SSE2 code in
- memcmplen.h.
-
-Thanks to Christian Hesse for reporting the issue.
-Fixes: https://github.com/tukaani-project/xz/issues/44
---- a/src/liblzma/common/memcmplen.h
-+++ b/src/liblzma/common/memcmplen.h
-@@ -89,7 +89,8 @@ lzma_memcmplen(const uint8_t *buf1, const uint8_t *buf2,
- 	// version isn't used on x86-64.
- #	define LZMA_MEMCMPLEN_EXTRA 16
- 	while (len < limit) {
--		const uint32_t x = 0xFFFF ^ _mm_movemask_epi8(_mm_cmpeq_epi8(
-+		const uint32_t x = 0xFFFF ^ (uint32_t)_mm_movemask_epi8(
-+			_mm_cmpeq_epi8(
- 			_mm_loadu_si128((const __m128i *)(buf1 + len)),
- 			_mm_loadu_si128((const __m128i *)(buf2 + len))));
- 
-
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.2.11.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.2.11.ebuild
deleted file mode 100644
index f767a84786e..00000000000
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.2.11.ebuild
+++ /dev/null
@@ -1,118 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-# Remember: we cannot leverage autotools in this ebuild in order
-#           to avoid circular deps with autotools
-
-EAPI=7
-
-inherit libtool multilib multilib-minimal preserve-libs usr-ldscript
-
-if [[ ${PV} == 9999 ]] ; then
-	EGIT_REPO_URI="https://git.tukaani.org/xz.git"
-	inherit git-r3 autotools
-
-	# bug #272880 and bug #286068
-	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
-else
-	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/lassecollin.asc
-	inherit verify-sig
-
-	MY_P="${PN/-utils}-${PV/_}"
-	SRC_URI="
-		mirror://sourceforge/lzmautils/${MY_P}.tar.gz
-		https://tukaani.org/xz/${MY_P}.tar.gz
-		verify-sig? (
-			https://tukaani.org/xz/${MY_P}.tar.gz.sig
-		)
-	"
-
-	if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
-		KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
-	fi
-
-	S="${WORKDIR}/${MY_P}"
-fi
-
-DESCRIPTION="Utils for managing LZMA compressed files"
-HOMEPAGE="https://tukaani.org/xz/"
-
-# See top-level COPYING file as it outlines the various pieces and their licenses.
-LICENSE="public-domain LGPL-2.1+ GPL-2+"
-SLOT="0"
-IUSE="+extra-filters nls static-libs"
-
-if [[ ${PV} != 9999 ]] ; then
-	BDEPEND+=" verify-sig? ( >=sec-keys/openpgp-keys-lassecollin-20230213 )"
-fi
-
-# Tests currently do not account for smaller feature set
-RESTRICT="!extra-filters? ( test )"
-
-src_prepare() {
-	default
-
-	if [[ ${PV} == 9999 ]] ; then
-		eautopoint
-		eautoreconf
-	else
-		# Allow building shared libs on Solaris/x64
-		elibtoolize
-	fi
-}
-
-multilib_src_configure() {
-	local myconf=(
-		--enable-threads
-		$(use_enable nls)
-		$(use_enable static-libs static)
-	)
-
-	if ! multilib_is_native_abi ; then
-		myconf+=(
-			--disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts}
-		)
-	fi
-
-	if ! use extra-filters ; then
-		myconf+=(
-			# LZMA1 + LZMA2 for standard .lzma & .xz files
-			--enable-encoders=lzma1,lzma2
-			--enable-decoders=lzma1,lzma2
-
-			# those are used by default, depending on preset
-			--enable-match-finders=hc3,hc4,bt4
-
-			# CRC64 is used by default, though some (old?) files use CRC32
-			--enable-checks=crc32,crc64
-		)
-	fi
-
-	if [[ ${CHOST} == *-solaris* ]] ; then
-		export gl_cv_posix_shell="${EPREFIX}"/bin/sh
-
-		# Undo Solaris-based defaults pointing to /usr/xpg5/bin
-		myconf+=( --disable-path-for-script )
-	fi
-
-	ECONF_SOURCE="${S}" econf "${myconf[@]}"
-}
-
-multilib_src_install() {
-	default
-
-	gen_usr_ldscript -a lzma
-}
-
-multilib_src_install_all() {
-	find "${ED}" -type f -name '*.la' -delete || die
-	rm "${ED}"/usr/share/doc/${PF}/COPYING* || die
-}
-
-pkg_preinst() {
-	preserve_old_lib /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
-
-pkg_postinst() {
-	preserve_old_lib_notify /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.2.12.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.2.12.ebuild
deleted file mode 100644
index 677416c79eb..00000000000
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.2.12.ebuild
+++ /dev/null
@@ -1,118 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-# Remember: we cannot leverage autotools in this ebuild in order
-#           to avoid circular deps with autotools
-
-EAPI=8
-
-inherit libtool multilib multilib-minimal preserve-libs usr-ldscript
-
-if [[ ${PV} == 9999 ]] ; then
-	EGIT_REPO_URI="https://git.tukaani.org/xz.git"
-	inherit git-r3 autotools
-
-	# bug #272880 and bug #286068
-	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
-else
-	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/jiatan.asc
-	inherit verify-sig
-
-	MY_P="${PN/-utils}-${PV/_}"
-	SRC_URI="
-		mirror://sourceforge/lzmautils/${MY_P}.tar.gz
-		https://tukaani.org/xz/${MY_P}.tar.gz
-		verify-sig? (
-			https://tukaani.org/xz/${MY_P}.tar.gz.sig
-		)
-	"
-
-	if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
-		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
-	fi
-
-	S="${WORKDIR}/${MY_P}"
-fi
-
-DESCRIPTION="Utils for managing LZMA compressed files"
-HOMEPAGE="https://tukaani.org/xz/"
-
-# See top-level COPYING file as it outlines the various pieces and their licenses.
-LICENSE="public-domain LGPL-2.1+ GPL-2+"
-SLOT="0"
-IUSE="+extra-filters nls static-libs"
-
-if [[ ${PV} != 9999 ]] ; then
-	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-jiatan )"
-fi
-
-# Tests currently do not account for smaller feature set
-RESTRICT="!extra-filters? ( test )"
-
-src_prepare() {
-	default
-
-	if [[ ${PV} == 9999 ]] ; then
-		eautopoint
-		eautoreconf
-	else
-		# Allow building shared libs on Solaris/x64
-		elibtoolize
-	fi
-}
-
-multilib_src_configure() {
-	local myconf=(
-		--enable-threads
-		$(use_enable nls)
-		$(use_enable static-libs static)
-	)
-
-	if ! multilib_is_native_abi ; then
-		myconf+=(
-			--disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts}
-		)
-	fi
-
-	if ! use extra-filters ; then
-		myconf+=(
-			# LZMA1 + LZMA2 for standard .lzma & .xz files
-			--enable-encoders=lzma1,lzma2
-			--enable-decoders=lzma1,lzma2
-
-			# those are used by default, depending on preset
-			--enable-match-finders=hc3,hc4,bt4
-
-			# CRC64 is used by default, though some (old?) files use CRC32
-			--enable-checks=crc32,crc64
-		)
-	fi
-
-	if [[ ${CHOST} == *-solaris* ]] ; then
-		export gl_cv_posix_shell="${EPREFIX}"/bin/sh
-
-		# Undo Solaris-based defaults pointing to /usr/xpg5/bin
-		myconf+=( --disable-path-for-script )
-	fi
-
-	ECONF_SOURCE="${S}" econf "${myconf[@]}"
-}
-
-multilib_src_install() {
-	default
-
-	gen_usr_ldscript -a lzma
-}
-
-multilib_src_install_all() {
-	find "${ED}" -type f -name '*.la' -delete || die
-	rm "${ED}"/usr/share/doc/${PF}/COPYING* || die
-}
-
-pkg_preinst() {
-	preserve_old_lib /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
-
-pkg_postinst() {
-	preserve_old_lib_notify /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.2.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.2.ebuild
index 39a9c712d3e..982f62b0c16 100644
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.2.ebuild
@@ -1,12 +1,12 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # Remember: we cannot leverage autotools in this ebuild in order
 #           to avoid circular deps with autotools
 
-EAPI=7
+EAPI=8
 
-inherit libtool multilib multilib-minimal preserve-libs usr-ldscript
+inherit flag-o-matic libtool multilib multilib-minimal preserve-libs toolchain-funcs
 
 if [[ ${PV} == 9999 ]] ; then
 	# Per tukaani.org, git.tukaani.org is a mirror of github and
@@ -18,18 +18,18 @@ if [[ ${PV} == 9999 ]] ; then
 	inherit git-r3 autotools
 
 	# bug #272880 and bug #286068
-	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
+	BDEPEND="sys-devel/gettext >=dev-build/libtool-2"
 else
 	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/lassecollin.asc
 	inherit verify-sig
 
 	MY_P="${PN/-utils}-${PV/_}"
 	SRC_URI="
-		https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz
+		https://github.com/tukaani-project/xz/releases/download/v${PV/_}/${MY_P}.tar.gz
 		mirror://sourceforge/lzmautils/${MY_P}.tar.gz
 		https://tukaani.org/xz/${MY_P}.tar.gz
 		verify-sig? (
-			https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz.sig
+			https://github.com/tukaani-project/xz/releases/download/v${PV/_}/${MY_P}.tar.gz.sig
 			https://tukaani.org/xz/${MY_P}.tar.gz.sig
 		)
 	"
@@ -47,16 +47,12 @@ HOMEPAGE="https://tukaani.org/xz/"
 # See top-level COPYING file as it outlines the various pieces and their licenses.
 LICENSE="public-domain LGPL-2.1+ GPL-2+"
 SLOT="0"
-IUSE="doc +extra-filters nls static-libs"
+IUSE="doc +extra-filters pgo nls static-libs"
 
 if [[ ${PV} != 9999 ]] ; then
-	BDEPEND+=" verify-sig? ( >=sec-keys/openpgp-keys-lassecollin-20230213 )"
+	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-lassecollin )"
 fi
 
-PATCHES=(
-	"${FILESDIR}"/${P}-Wsign-conversion.patch
-)
-
 src_prepare() {
 	default
 
@@ -107,10 +103,24 @@ multilib_src_configure() {
 	ECONF_SOURCE="${S}" econf "${myconf[@]}"
 }
 
-multilib_src_install() {
-	default
+multilib_src_compile() {
+	# -fprofile-partial-training because upstream note the test suite isn't super comprehensive
+	# See https://documentation.suse.com/sbp/all/html/SBP-GCC-10/index.html#sec-gcc10-pgo
+	local pgo_generate_flags=$(usev pgo "-fprofile-update=atomic -fprofile-dir=${T}/${ABI}-pgo -fprofile-generate=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)")
+	local pgo_use_flags=$(usev pgo "-fprofile-use=${T}/${ABI}-pgo -fprofile-dir=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)")
+
+	emake CFLAGS="${CFLAGS} ${pgo_generate_flags}"
 
-	gen_usr_ldscript -a lzma
+	if use pgo ; then
+		emake CFLAGS="${CFLAGS} ${pgo_generate_flags}" -k check
+
+		if tc-is-clang; then
+			llvm-profdata merge "${T}"/${ABI}-pgo --output="${T}"/${ABI}-pgo/default.profdata || die
+		fi
+
+		emake clean
+		emake CFLAGS="${CFLAGS} ${pgo_use_flags}"
+	fi
 }
 
 multilib_src_install_all() {
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.3.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.3.ebuild
deleted file mode 100644
index 06aa8a182b4..00000000000
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.3.ebuild
+++ /dev/null
@@ -1,126 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-# Remember: we cannot leverage autotools in this ebuild in order
-#           to avoid circular deps with autotools
-
-EAPI=7
-
-inherit libtool multilib multilib-minimal preserve-libs usr-ldscript
-
-if [[ ${PV} == 9999 ]] ; then
-	# Per tukaani.org, git.tukaani.org is a mirror of github and
-	# may be behind.
-	EGIT_REPO_URI="
-		https://github.com/tukaani-project/xz
-		https://git.tukaani.org/xz.git
-	"
-	inherit git-r3 autotools
-
-	# bug #272880 and bug #286068
-	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
-else
-	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/jiatan.asc
-	inherit verify-sig
-
-	MY_P="${PN/-utils}-${PV/_}"
-	SRC_URI="
-		https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz
-		mirror://sourceforge/lzmautils/${MY_P}.tar.gz
-		https://tukaani.org/xz/${MY_P}.tar.gz
-		verify-sig? (
-			https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz.sig
-			https://tukaani.org/xz/${MY_P}.tar.gz.sig
-		)
-	"
-
-	if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
-		KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
-	fi
-
-	S="${WORKDIR}/${MY_P}"
-fi
-
-DESCRIPTION="Utils for managing LZMA compressed files"
-HOMEPAGE="https://tukaani.org/xz/"
-
-# See top-level COPYING file as it outlines the various pieces and their licenses.
-LICENSE="public-domain LGPL-2.1+ GPL-2+"
-SLOT="0"
-IUSE="doc +extra-filters nls static-libs"
-
-if [[ ${PV} != 9999 ]] ; then
-	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-jiatan )"
-fi
-
-src_prepare() {
-	default
-
-	if [[ ${PV} == 9999 ]] ; then
-		eautopoint
-		eautoreconf
-	else
-		# Allow building shared libs on Solaris/x64
-		elibtoolize
-	fi
-}
-
-multilib_src_configure() {
-	local myconf=(
-		--enable-threads
-		$(multilib_native_use_enable doc)
-		$(use_enable nls)
-		$(use_enable static-libs static)
-	)
-
-	if ! multilib_is_native_abi ; then
-		myconf+=(
-			--disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts}
-		)
-	fi
-
-	if ! use extra-filters ; then
-		myconf+=(
-			# LZMA1 + LZMA2 for standard .lzma & .xz files
-			--enable-encoders=lzma1,lzma2
-			--enable-decoders=lzma1,lzma2
-
-			# those are used by default, depending on preset
-			--enable-match-finders=hc3,hc4,bt4
-
-			# CRC64 is used by default, though some (old?) files use CRC32
-			--enable-checks=crc32,crc64
-		)
-	fi
-
-	if [[ ${CHOST} == *-solaris* ]] ; then
-		export gl_cv_posix_shell="${EPREFIX}"/bin/sh
-
-		# Undo Solaris-based defaults pointing to /usr/xpg5/bin
-		myconf+=( --disable-path-for-script )
-	fi
-
-	ECONF_SOURCE="${S}" econf "${myconf[@]}"
-}
-
-multilib_src_install() {
-	default
-
-	gen_usr_ldscript -a lzma
-}
-
-multilib_src_install_all() {
-	find "${ED}" -type f -name '*.la' -delete || die
-
-	if use doc ; then
-		rm "${ED}"/usr/share/doc/${PF}/COPYING* || die
-	fi
-}
-
-pkg_preinst() {
-	preserve_old_lib /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
-
-pkg_postinst() {
-	preserve_old_lib_notify /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.4.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.4.ebuild
deleted file mode 100644
index 817c272e119..00000000000
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.4.ebuild
+++ /dev/null
@@ -1,146 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-# Remember: we cannot leverage autotools in this ebuild in order
-#           to avoid circular deps with autotools
-
-EAPI=8
-
-inherit flag-o-matic libtool multilib multilib-minimal preserve-libs toolchain-funcs usr-ldscript
-
-if [[ ${PV} == 9999 ]] ; then
-	# Per tukaani.org, git.tukaani.org is a mirror of github and
-	# may be behind.
-	EGIT_REPO_URI="
-		https://github.com/tukaani-project/xz
-		https://git.tukaani.org/xz.git
-	"
-	inherit git-r3 autotools
-
-	# bug #272880 and bug #286068
-	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
-else
-	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/jiatan.asc
-	inherit verify-sig
-
-	MY_P="${PN/-utils}-${PV/_}"
-	SRC_URI="
-		https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz
-		mirror://sourceforge/lzmautils/${MY_P}.tar.gz
-		https://tukaani.org/xz/${MY_P}.tar.gz
-		verify-sig? (
-			https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz.sig
-			https://tukaani.org/xz/${MY_P}.tar.gz.sig
-		)
-	"
-
-	if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
-		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
-	fi
-
-	S="${WORKDIR}/${MY_P}"
-fi
-
-DESCRIPTION="Utils for managing LZMA compressed files"
-HOMEPAGE="https://tukaani.org/xz/"
-
-# See top-level COPYING file as it outlines the various pieces and their licenses.
-LICENSE="public-domain LGPL-2.1+ GPL-2+"
-SLOT="0"
-IUSE="doc +extra-filters pgo nls static-libs"
-
-if [[ ${PV} != 9999 ]] ; then
-	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-jiatan )"
-fi
-
-src_prepare() {
-	default
-
-	if [[ ${PV} == 9999 ]] ; then
-		eautopoint
-		eautoreconf
-	else
-		# Allow building shared libs on Solaris/x64
-		elibtoolize
-	fi
-}
-
-multilib_src_configure() {
-	local myconf=(
-		--enable-threads
-		$(multilib_native_use_enable doc)
-		$(use_enable nls)
-		$(use_enable static-libs static)
-	)
-
-	if ! multilib_is_native_abi ; then
-		myconf+=(
-			--disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts}
-		)
-	fi
-
-	if ! use extra-filters ; then
-		myconf+=(
-			# LZMA1 + LZMA2 for standard .lzma & .xz files
-			--enable-encoders=lzma1,lzma2
-			--enable-decoders=lzma1,lzma2
-
-			# those are used by default, depending on preset
-			--enable-match-finders=hc3,hc4,bt4
-
-			# CRC64 is used by default, though some (old?) files use CRC32
-			--enable-checks=crc32,crc64
-		)
-	fi
-
-	if [[ ${CHOST} == *-solaris* ]] ; then
-		export gl_cv_posix_shell="${EPREFIX}"/bin/sh
-
-		# Undo Solaris-based defaults pointing to /usr/xpg5/bin
-		myconf+=( --disable-path-for-script )
-	fi
-
-	ECONF_SOURCE="${S}" econf "${myconf[@]}"
-}
-
-multilib_src_compile() {
-	# -fprofile-partial-training because upstream note the test suite isn't super comprehensive
-	# See https://documentation.suse.com/sbp/all/html/SBP-GCC-10/index.html#sec-gcc10-pgo
-	local pgo_generate_flags=$(usev pgo "-fprofile-update=atomic -fprofile-dir=${T}/${ABI}-pgo -fprofile-generate=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)")
-	local pgo_use_flags=$(usev pgo "-fprofile-use=${T}/${ABI}-pgo -fprofile-dir=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)")
-
-	emake CFLAGS="${CFLAGS} ${pgo_generate_flags}"
-
-	if use pgo ; then
-		emake CFLAGS="${CFLAGS} ${pgo_generate_flags}" -k check
-
-		if tc-is-clang; then
-			llvm-profdata merge "${T}"/${ABI}-pgo --output="${T}"/${ABI}-pgo/default.profdata || die
-		fi
-
-		emake clean
-		emake CFLAGS="${CFLAGS} ${pgo_use_flags}"
-	fi
-}
-
-multilib_src_install() {
-	default
-
-	gen_usr_ldscript -a lzma
-}
-
-multilib_src_install_all() {
-	find "${ED}" -type f -name '*.la' -delete || die
-
-	if use doc ; then
-		rm "${ED}"/usr/share/doc/${PF}/COPYING* || die
-	fi
-}
-
-pkg_preinst() {
-	preserve_old_lib /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
-
-pkg_postinst() {
-	preserve_old_lib_notify /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.5.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.5.ebuild
deleted file mode 100644
index 817c272e119..00000000000
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-5.4.5.ebuild
+++ /dev/null
@@ -1,146 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-# Remember: we cannot leverage autotools in this ebuild in order
-#           to avoid circular deps with autotools
-
-EAPI=8
-
-inherit flag-o-matic libtool multilib multilib-minimal preserve-libs toolchain-funcs usr-ldscript
-
-if [[ ${PV} == 9999 ]] ; then
-	# Per tukaani.org, git.tukaani.org is a mirror of github and
-	# may be behind.
-	EGIT_REPO_URI="
-		https://github.com/tukaani-project/xz
-		https://git.tukaani.org/xz.git
-	"
-	inherit git-r3 autotools
-
-	# bug #272880 and bug #286068
-	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
-else
-	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/jiatan.asc
-	inherit verify-sig
-
-	MY_P="${PN/-utils}-${PV/_}"
-	SRC_URI="
-		https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz
-		mirror://sourceforge/lzmautils/${MY_P}.tar.gz
-		https://tukaani.org/xz/${MY_P}.tar.gz
-		verify-sig? (
-			https://github.com/tukaani-project/xz/releases/download/v${PV}/${MY_P}.tar.gz.sig
-			https://tukaani.org/xz/${MY_P}.tar.gz.sig
-		)
-	"
-
-	if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
-		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
-	fi
-
-	S="${WORKDIR}/${MY_P}"
-fi
-
-DESCRIPTION="Utils for managing LZMA compressed files"
-HOMEPAGE="https://tukaani.org/xz/"
-
-# See top-level COPYING file as it outlines the various pieces and their licenses.
-LICENSE="public-domain LGPL-2.1+ GPL-2+"
-SLOT="0"
-IUSE="doc +extra-filters pgo nls static-libs"
-
-if [[ ${PV} != 9999 ]] ; then
-	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-jiatan )"
-fi
-
-src_prepare() {
-	default
-
-	if [[ ${PV} == 9999 ]] ; then
-		eautopoint
-		eautoreconf
-	else
-		# Allow building shared libs on Solaris/x64
-		elibtoolize
-	fi
-}
-
-multilib_src_configure() {
-	local myconf=(
-		--enable-threads
-		$(multilib_native_use_enable doc)
-		$(use_enable nls)
-		$(use_enable static-libs static)
-	)
-
-	if ! multilib_is_native_abi ; then
-		myconf+=(
-			--disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts}
-		)
-	fi
-
-	if ! use extra-filters ; then
-		myconf+=(
-			# LZMA1 + LZMA2 for standard .lzma & .xz files
-			--enable-encoders=lzma1,lzma2
-			--enable-decoders=lzma1,lzma2
-
-			# those are used by default, depending on preset
-			--enable-match-finders=hc3,hc4,bt4
-
-			# CRC64 is used by default, though some (old?) files use CRC32
-			--enable-checks=crc32,crc64
-		)
-	fi
-
-	if [[ ${CHOST} == *-solaris* ]] ; then
-		export gl_cv_posix_shell="${EPREFIX}"/bin/sh
-
-		# Undo Solaris-based defaults pointing to /usr/xpg5/bin
-		myconf+=( --disable-path-for-script )
-	fi
-
-	ECONF_SOURCE="${S}" econf "${myconf[@]}"
-}
-
-multilib_src_compile() {
-	# -fprofile-partial-training because upstream note the test suite isn't super comprehensive
-	# See https://documentation.suse.com/sbp/all/html/SBP-GCC-10/index.html#sec-gcc10-pgo
-	local pgo_generate_flags=$(usev pgo "-fprofile-update=atomic -fprofile-dir=${T}/${ABI}-pgo -fprofile-generate=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)")
-	local pgo_use_flags=$(usev pgo "-fprofile-use=${T}/${ABI}-pgo -fprofile-dir=${T}/${ABI}-pgo $(test-flags-CC -fprofile-partial-training)")
-
-	emake CFLAGS="${CFLAGS} ${pgo_generate_flags}"
-
-	if use pgo ; then
-		emake CFLAGS="${CFLAGS} ${pgo_generate_flags}" -k check
-
-		if tc-is-clang; then
-			llvm-profdata merge "${T}"/${ABI}-pgo --output="${T}"/${ABI}-pgo/default.profdata || die
-		fi
-
-		emake clean
-		emake CFLAGS="${CFLAGS} ${pgo_use_flags}"
-	fi
-}
-
-multilib_src_install() {
-	default
-
-	gen_usr_ldscript -a lzma
-}
-
-multilib_src_install_all() {
-	find "${ED}" -type f -name '*.la' -delete || die
-
-	if use doc ; then
-		rm "${ED}"/usr/share/doc/${PF}/COPYING* || die
-	fi
-}
-
-pkg_preinst() {
-	preserve_old_lib /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
-
-pkg_postinst() {
-	preserve_old_lib_notify /usr/$(get_libdir)/liblzma$(get_libname 0)
-}
diff --git a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-9999.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-9999.ebuild
index 817c272e119..946c918493d 100644
--- a/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-9999.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-arch/xz-utils/xz-utils-9999.ebuild
@@ -20,7 +20,7 @@ if [[ ${PV} == 9999 ]] ; then
 	# bug #272880 and bug #286068
 	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
 else
-	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/jiatan.asc
+	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/lassecollin.asc
 	inherit verify-sig
 
 	MY_P="${PN/-utils}-${PV/_}"
@@ -50,12 +50,15 @@ SLOT="0"
 IUSE="doc +extra-filters pgo nls static-libs"
 
 if [[ ${PV} != 9999 ]] ; then
-	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-jiatan )"
+	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-lassecollin )"
 fi
 
 src_prepare() {
 	default
 
+	# Delete known-compromised test data (bug #928134)
+	rm tests/files/bad-3-corrupt_lzma2.xz tests/files/good-large_compressed.lzma || die
+
 	if [[ ${PV} == 9999 ]] ; then
 		eautopoint
 		eautoreconf