From nobody Thu Mar 28 07:51:02 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V4whQ2nPJz5GQfh for ; Thu, 28 Mar 2024 07:51:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V4whQ0h74z4mSD; Thu, 28 Mar 2024 07:51:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711612262; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=qVo+gXfJwrMZcPMk2LsBM5CxADMdJFGB7tgZ3q4SCX4=; b=jsrjo4ntofYtmcA8BqHpo5lza6m94aeqkzeswELJKQsvwaFGOfUduW+yn4603ylvupZ7vJ Qb8vSqBfrZoxVGO3ST8HkqCey2xAAhSM9TwXrKt6XIgF4P9vEFwxzXqxJlT88Z+hhHClOl 8QlceQgNg077VcxuGz/OmhLsENpQ4l4P0uWx8/X6Crzw9OhYeggfalJSVsszgycf5tfSAk 1lOBlsTx01cEqKgFhZFIpsS55v+p0Rs6tlxzfTlyEWzsrU7sq/InaBM5D15fpLNPEUJ1mu 9oVJt1ps995xKTWodCWCorUAisAWX1Wc5zVVQ7qWe+w8YVkgfUodGoYgd75qLQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1711612262; a=rsa-sha256; cv=none; b=qOHTKNndyQnqjM4sKt5GG9YIJ4BUC8jjPjjJmGsl7wjQuhgEtXgcGpUBjERAZWZHlRdJac WDDoAKpidEwaK2TYVlyWOBfk8vqJA1piPYazOjU3zqNo7GTyVWWzcM6oBxl1AZy7HsJB6o +oLdnljXERHIz02mPzx5dxiOg+9xLyY8XK12BY7DoVZglvjhHsNQykx6IJRWb6igKILB0h IU0LWq4YsOh5L/ozb3f/GaOiLFGhV/nHc3HnIZMJSOlRxcMpNxn6i9K0OF9aYlwfH+A1Bv fEX6Qi9yWcj4JVcJKROdWVDSG7/mQQeet6x2OSxFztyuUIjw4XIg/48790q+fQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711612262; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=qVo+gXfJwrMZcPMk2LsBM5CxADMdJFGB7tgZ3q4SCX4=; b=Y7dZqGJISoHOkA9KcUP76NIMDiKy3q3mScx6qFB9QUvM9llgL8rqWuarMq2vMHg2lukkpv IV5x1zYyW1N0NPpQFUbEv9Mywq7L1wbd6DsQ7gYIe5KAJGQ0GWfc5c0TjC4lUpEuDgDdfu 2uJZscHrc3VkFrdwV9G0G5l+eZ1QJ3Q+xGJqwP+kswRhmenV2WtlyY7kH52rvLhVDFswNQ dJI98I6srFBaeSymn3bhgTpnZC5J0KPaFckqdatgQymudXoq8WJ6elhCWvMN8zMlIgSq5k /4+j865mDABGdytATMBduWVeZOSZWSAClfBavUGhwSytyFNYsbS7p6CrX+a4Gg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 10441343C; Thu, 28 Mar 2024 07:51:02 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:03.unbound Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240328075102.10441343C@freefall.freebsd.org> Date: Thu, 28 Mar 2024 07:51:02 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:03.unbound Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in unbound Category: contrib Module: unbound Announced: 2024-03-28 Affects: FreeBSD 13.2 and FreeBSD 14.0 Corrected: 2024-02-17 13:45:44 UTC (stable/14, 14.0-STABLE) 2024-03-28 05:06:26 UTC (releng/14.0, 14.0-RELEASE-p6) 2024-02-17 13:45:44 UTC (stable/13, 13.2-STABLE) 2024-03-28 05:07:55 UTC (releng/13.2, 13.2-RELEASE-p11) CVE Name: CVE-2023-50387, CVE-2023-50868 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Unbound is a validating, recursive, and caching DNS resolver. II. Problem Description The KeyTrap vulnerability (CVE-2023-50387) works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path. The NSEC3 vulnerability (CVE-2023-50868) uses specially crafted responses on a malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very CPU intensive and time costly NSEC3 hash calculation path. III. Impact Both issues can force Unbound to spend an enormous time (comparative to regular traffic) validating a single specially crafted DNSSEC response while everything else is on hold for that thread. A trivially orchestrated attack could render all threads busy with such responses leading to denial of service. IV. Workaround No workaround is available. Systems not running Unbound are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 14.0] # fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-14.patch # fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-14.patch.asc # gpg --verify unbound-14.patch.asc [FreeBSD 13.2] # fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-13.patch # fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-13.patch.asc # gpg --verify unbound-13.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -p0 < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ e2b44c401cc2 stable/14-n266696 releng/14.0/ c189b94f8a22 releng/14.0-n265416 stable/13/ abe4ced2b9de stable/13-n257436 releng/13.2/ d9d90e5e42f6 releng/13.2-n254664 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGa4ACgkQbljekB8A Gu8Oxw/9HrzGZVx0FsUb8dhvf6Hlcfy3B0RNjxcnvvBm+P/V0+WSEaFTod9YaonO GN331SXI1blvqfCpOz2TLiOvHjWDPCcb8bb9YqQXRId4axnpxCCzIY0HkxgXFNDu XgXwM4JYapmWis/pOxifRXnB087lwbkfVx/0iOTeA0XUFoRRIbooiL/6H76hOmq7 XR5moI8xYyAX5Xh+5/6yZgd+A+0n/KfQnOEpA7Ex9MWC17co+RGOP1JUZYIFHhAc W/vNuL23UWqR1TjMgVWTHEvVBTrUPEiDfp2Z1LiQexH9IaQ4cePu7qrWlzAo7rr6 6Cf3DybH9IxALQQSSKq1JWNqQFOWvpXCy5JKBua+Z7kcFHR5tmAgolqGLGJ629Ko GNwsSUTZ8SzwupJ93boMaD4jF2t+zOXvBvceYywZEEvd2gq2zkfMV6WJwtUUOvdm z7Z7AejUFONrQyYps4rcKCthnQOLHtzcPUQom68KpUACsdOr1hkA0VOCf5HRrEe6 DpwM9PX1T3eiHSq1eZj2MMkz+Cw/DJK+wegkULRxg2ZOmWKA2U8df+Qj1RYpX4QT JrPSHh4EqovfrB5H0uUgfLWBgAzGBLEeFKAMA+omlEaELyNzvG/4xv8eJVtjTG+D EEQCXVTJmws/ZFDC2vJhVR6vdAwMuPz8YkBtcQkqnNcF+zzbcEk= =PELN -----END PGP SIGNATURE----- From nobody Thu Mar 28 09:25:49 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V4yns0wRmz5FNWV for ; Thu, 28 Mar 2024 09:25:53 +0000 (UTC) (envelope-from DutchDaemon@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V4ynr6H4gz45yC for ; Thu, 28 Mar 2024 09:25:52 +0000 (UTC) (envelope-from DutchDaemon@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711617952; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=T3KJlD4BWD4bGGgHhlEa95d3wSfseH2b0Ig64TYV4Og=; b=mKDYskQVKtLwgx1jAxd6hT0IW7GiJRO4r/EeIGSn5rYC9gB1yxd6AkWsrTRmQri0md/HXV C9UI34ET9iXDATfVZSmNZW47+P7Ohbp/ibgcjNzAJoex1ytLN1NExle16H27Bt6KrfPF/V hnytpOKo+Y0SYYqZXSYW2VfGfQyLLzMVgVzvD7hkT0wP+U+y5smCGOYYuLNOcj70599OZe bHGbPu9dZrSmy+LTQ7VqFApNAeTFksqfbU67FLR11bLMWtrESw1MsKIviZRY28HO4rgX9Q JDujKWgBCuqrxV0hUB/mw5zClQcFQGieoxNsvJFo/Z8rLXwaZlfgS+iL0R+Jyw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1711617952; a=rsa-sha256; cv=none; b=pDz4220v7pASusMEecUTo70eyl+Hf1NUHCA7uRaYOIO+0X2x3xqicZo280j7PoCuUoRlnM xo+QnkeU9w/jpWKeH1ik2ps75ANKX/EPrDe/+tLZL9C/SS0+qzsJ6OhqIDV+Bxpj2Q2Fmj JzkUZTcHoEAuhzDvxZASHmi0Kkfw4C3rFj03LOlgom0RZABk1YdzyNuYQaICxpZCKV9v7a xFYNw5FwRJPd0b8GxWVCkOF4X/BlpXTpxVoWSj2RphiNoLusHhFKuSGNRP85ygFe0FGaS3 eobLzstZFrN8FQ5dYfrLy+rN/XbwSBIFJ/Ac0sQXjXcq1a+RDCBqXekD39FIHQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711617952; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=T3KJlD4BWD4bGGgHhlEa95d3wSfseH2b0Ig64TYV4Og=; b=BucsQ08wt0nb8u5ypV095n+wt8DIMWyFLnQuQOlZYpHq97Y+njFj20cDs0w+uxNEm7M/T5 H+vMLbYlvm2nxH5O3tJLSABe2LTON3WQA7Fr2FDo9EtlW/a/T2AOGOkPLD9XwoF501h6U5 P3MfdcV7vQA9p42T6o5MWmnX1nokOJsseRvZL+CdRbRh1BMIoDUjgjKsKmT3UoMI+lz4iW F9E7OciBdyzDZfQrXLgPeuR9Uk8aVCErLpNUhDa3OkGsOMQYXd8kzXCpLkQcnevYwBqTCQ WxmXbve+5GWp7s44x7x0ZrYNTaKpStRL48filG/FEMd158wpC7cyCTvkSV1Qmw== Received: from [192.168.178.211] (unknown [85.148.89.7]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: dutchdaemon/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4V4ynr4fV1z17Xr for ; Thu, 28 Mar 2024 09:25:52 +0000 (UTC) (envelope-from DutchDaemon@FreeBSD.org) Message-ID: Date: Thu, 28 Mar 2024 10:25:49 +0100 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Betterbird (Windows) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-24:03.unbound To: freebsd-security@freebsd.org References: <20240328075102.10441343C@freefall.freebsd.org> Content-Language: en-US From: DutchDaemon - FreeBSD Forums Administrator Organization: The FreeBSD Forums In-Reply-To: <20240328075102.10441343C@freefall.freebsd.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------FwxvSFgkgGYYg1BEihhdmNAf" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------FwxvSFgkgGYYg1BEihhdmNAf Content-Type: multipart/mixed; boundary="------------20iauWtobzTdlaYxeyfYxzBg"; protected-headers="v1" From: DutchDaemon - FreeBSD Forums Administrator To: freebsd-security@freebsd.org Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-24:03.unbound References: <20240328075102.10441343C@freefall.freebsd.org> In-Reply-To: <20240328075102.10441343C@freefall.freebsd.org> --------------20iauWtobzTdlaYxeyfYxzBg Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 T24gMjgtMy0yMDI0IDA4OjUxLCBGcmVlQlNEIFNlY3VyaXR5IEFkdmlzb3JpZXMgd3JvdGU6 DQo+ID09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09DQo+IEZyZWVCU0QtU0EtMjQ6MDMudW5ib3Vu ZCBTZWN1cml0eSBBZHZpc29yeQ0KPiDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgVGhlIEZyZWVCU0QgDQo+IFByb2plY3QN Cj4NCj4gVG9waWM6wqDCoMKgwqDCoMKgwqDCoMKgIE11bHRpcGxlIHZ1bG5lcmFiaWxpdGll cyBpbiB1bmJvdW5kDQo+DQo+IENhdGVnb3J5OsKgwqDCoMKgwqDCoCBjb250cmliDQo+IE1v ZHVsZTrCoMKgwqDCoMKgwqDCoMKgIHVuYm91bmQNCj4gQW5ub3VuY2VkOsKgwqDCoMKgwqAg MjAyNC0wMy0yOA0KPiBBZmZlY3RzOsKgwqDCoMKgwqDCoMKgIEZyZWVCU0QgMTMuMiBhbmQg RnJlZUJTRCAxNC4wDQo+IENvcnJlY3RlZDrCoMKgwqDCoMKgIDIwMjQtMDItMTcgMTM6NDU6 NDQgVVRDIChzdGFibGUvMTQsIDE0LjAtU1RBQkxFKQ0KPiDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqAgMjAyNC0wMy0yOCAwNTowNjoyNiBVVEMgKHJlbGVuZy8xNC4wLCAxNC4w LVJFTEVBU0UtcDYpDQo+IMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCAyMDI0LTAy LTE3IDEzOjQ1OjQ0IFVUQyAoc3RhYmxlLzEzLCAxMy4yLVNUQUJMRSkNCj4gwqDCoMKgwqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgIDIwMjQtMDMtMjggMDU6MDc6NTUgVVRDIChyZWxlbmcv MTMuMiwgMTMuMi1SRUxFQVNFLXAxMSkNCj4gQ1ZFIE5hbWU6wqDCoMKgwqDCoMKgIENWRS0y MDIzLTUwMzg3LCBDVkUtMjAyMy01MDg2OA0KDQoNCldoYXQgaXMgdGhlIHN0YXR1cyBvZiB0 aGUgZG5zL3VuYm91bmQgcG9ydD8NCg0K --------------20iauWtobzTdlaYxeyfYxzBg-- --------------FwxvSFgkgGYYg1BEihhdmNAf Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature.asc" -----BEGIN PGP SIGNATURE----- wnsEABYIACMWIQSDIpfQllw48uFsWk/r4FMJZEPckQUCZgU3nQUDAAAAAAAKCRDr4FMJZEPckait AP4o0zxR1eLo/CuDo47JAcHfq68/dJgxmY2FPFTCd8VeYwD5ARBg7c8RSqAxClQEjbZ6arjcNoLH om9LHXZCmAnKvw0= =GSwH -----END PGP SIGNATURE----- --------------FwxvSFgkgGYYg1BEihhdmNAf-- From nobody Thu Mar 28 11:24:19 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V51RK4ryrz5Fcx5 for ; Thu, 28 Mar 2024 11:25:01 +0000 (UTC) (envelope-from mail.lists@PhiNetworkSystems.co.uk) Received: from uhura.phinetworksystems.net (uhura.phinetworksystems.net [45.32.180.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "*.phinetworksystems.net", Issuer "RapidSSL TLS RSA CA G1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V51RK2m6Rz4Mgp; Thu, 28 Mar 2024 11:25:01 +0000 (UTC) (envelope-from mail.lists@PhiNetworkSystems.co.uk) Authentication-Results: mx1.freebsd.org; none Received: from mordred.phinetworksystems.net (mordred.phinetworksystems.net [176.58.123.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by uhura.phinetworksystems.net (MTA) with ESMTPS id 9008B1F48A; Thu, 28 Mar 2024 11:24:59 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=phinetworksystems.co.uk; s=92afbd6ca6316f49aece8fc572d846f4; t=1711625099; bh=vbXS1bByTy64CyxbGozuEMBhRTKNDWKJ7/TnJE3LfgM=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type:From: Sender:To:CC:Subject:Message-Id:Content-Type:MIME-Version:Date; b=JtAjqT1ZJre6YJbcYPG/J0LwA3s3v0Fxv2ziFIRkptv1v5Gq2UnV7M26yBh4bpMTN H/FfBiwrzNVTPPTR9i6E8Y8jLZPbVInpr2Mhy6ZeocNWjn1gcPWR2F5Gkkfw5qHxDs ZXsXybz79Q1iy04HljWHdZ2NVgDgG1UbZo20MQFRcECso/sjcE0cQikdBeSILEeXfn N4cs/U6oiNZYC9JPrS9DklB6aQ1MbEBIP7jjyf7DSllGRTjc/sxVRyo6R++vDmA2mu SuuFLjjeRSdwBxhU8RO72lOKkpSEV/7Fjlb/iZb9VRu9MTkn8CCNyuQI8aBJqXV3LD YNNMCWlQoqDzQ== Received: from localhost ([127.0.0.1]:44808 helo=mordred.phinetworksystems.net) by mordred.phinetworksystems.net with esmtp (Exim MX) (envelope-from ) id 1rpnsR-0000u2-0M; Thu, 28 Mar 2024 11:24:59 +0000 Received: from Hecate.phinetworksystems.net ([176.58.116.148] helo=Hecate.phinetworksystems.net) by mordred.phinetworksystems.net with ESMTPS(AES256-GCM-SHA384) (ASSP 1.10.1); 28 Mar 2024 11:24:58 +0000 Received: from iris.phinetworksystems.net (iris.phinetworksystems.net [139.162.209.65]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by Hecate.phinetworksystems.net (MRA) with ESMTPS id 524EC56662; Thu, 28 Mar 2024 11:24:40 +0000 (GMT) Received: from mrnosie.yard-hw.sycamorestables.net (stargate.icarus.phinetworksystems.co.uk [81.2.65.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by iris.phinetworksystems.net (MSA) with ESMTPSA id 82EAE42112; Thu, 28 Mar 2024 11:24:21 +0000 (GMT) Date: Thu, 28 Mar 2024 11:24:19 +0000 From: Dr Jim Allen To: DutchDaemon - FreeBSD Forums Administrator Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-24:03.unbound Message-ID: <20240328112419.GA12420@mrnosie.yard-hw.sycamorestables.net> References: <20240328075102.10441343C@freefall.freebsd.org> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:20473, ipnet:45.32.176.0/21, country:US] X-Rspamd-Queue-Id: 4V51RK2m6Rz4Mgp Freshports shows "unbound" :- >dns/unbound: Update to 1.19.1 > >Release notes at > https://www.nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ on 14th Feb and that update contained the fixes for both CVE-2023-50387 and CVE-2023-5086 https://www.nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ So via ports I believe you are GTG. :-) On Thu, Mar 28, 2024 at 10:25:49AM +0100, DutchDaemon - FreeBSD Forums Admi= nistrator [Re: FreeBSD Security Advisory FreeBSD-SA-24:03.unbound] wrote: > On 28-3-2024 08:51, FreeBSD Security Advisories wrote: > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > > FreeBSD-SA-24:03.unbound Security Advisory >=20 > What is the status of the dns/unbound port? >=20 From nobody Thu Mar 28 18:28:31 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V5BtT5Kvxz5GSjP for ; Thu, 28 Mar 2024 18:30:41 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from pv50p00im-ztdg10011301.me.com (pv50p00im-ztdg10011301.me.com [17.58.6.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4V5BtT2G75z4HR8 for ; Thu, 28 Mar 2024 18:30:41 +0000 (UTC) (envelope-from gordon@tetlows.org) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=sig1; t=1711650639; bh=T/eYvwrE1JXV6k/DtsKPaYE9JygOsOQXhA5anCYdPLA=; h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To; b=ggQfPAZAa43yZcEIOXYGTqcPuAyKzrGpXyOypvSrOHltnD14Nb75t/m5EQ0a/i1fD er+gVCkwMHHK5a4THttR+KggAAs5jRRkPlY6SN136oHQFBai7qjVZvNORW99kFcPpS WvzK6f9+LQA9BoPawyyiSWSNcEwPjfb6FaFuz0b6sLxggr5Nlbp/ynk4uHKYYVjSeX O19FoUqBoadH53+zDMqBy3xMRImSRQWwwj3SYBXTf8AEOFvmdy6jSZr0XAsnh3AD09 t0Mm0Hfx4k94aeQX/peuSGWDxbn9SXVvlMCrYhVKOWoYXA0WUvePM8anKkbjff7YDR iV1sUwCcMaYxg== Received: from smtpclient.apple (pv50p00im-dlb-asmtp-mailmevip.me.com [17.56.9.10]) by pv50p00im-ztdg10011301.me.com (Postfix) with ESMTPSA id 6F5C8180314; Thu, 28 Mar 2024 18:30:38 +0000 (UTC) Content-Type: text/plain; charset=utf-8 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-24:03.unbound From: Gordon Tetlow In-Reply-To: Date: Thu, 28 Mar 2024 11:28:31 -0700 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <78C04BB8-0A32-4DD6-9BAD-027D5C086272@tetlows.org> References: <20240328075102.10441343C@freefall.freebsd.org> To: DutchDaemon - FreeBSD Forums Administrator X-Mailer: Apple Mail (2.3774.400.31) X-Proofpoint-ORIG-GUID: gvLG39UdhC-UQaKxoJxvPi4U1fLeLnkb X-Proofpoint-GUID: gvLG39UdhC-UQaKxoJxvPi4U1fLeLnkb X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-28_17,2024-03-28_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 spamscore=0 mlxlogscore=793 suspectscore=0 bulkscore=0 mlxscore=0 adultscore=0 clxscore=1030 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2403280129 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:714, ipnet:17.58.0.0/20, country:US] X-Rspamd-Queue-Id: 4V5BtT2G75z4HR8 Per FreshPorts, the dns/unbound port was fixed on 14 Feb 2024 when it = was upgraded to 1.19.1. Best, Gordon > On Mar 28, 2024, at 2:25=E2=80=AFAM, DutchDaemon - FreeBSD Forums = Administrator wrote: >=20 > On 28-3-2024 08:51, FreeBSD Security Advisories wrote: >> = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D >> FreeBSD-SA-24:03.unbound Security Advisory >> The FreeBSD = Project >>=20 >> Topic: Multiple vulnerabilities in unbound >>=20 >> Category: contrib >> Module: unbound >> Announced: 2024-03-28 >> Affects: FreeBSD 13.2 and FreeBSD 14.0 >> Corrected: 2024-02-17 13:45:44 UTC (stable/14, 14.0-STABLE) >> 2024-03-28 05:06:26 UTC (releng/14.0, = 14.0-RELEASE-p6) >> 2024-02-17 13:45:44 UTC (stable/13, 13.2-STABLE) >> 2024-03-28 05:07:55 UTC (releng/13.2, = 13.2-RELEASE-p11) >> CVE Name: CVE-2023-50387, CVE-2023-50868 >=20 >=20 > What is the status of the dns/unbound port? >=20 From nobody Fri Mar 29 17:02:14 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V5mtF6YnWz5DlJD for ; Fri, 29 Mar 2024 17:02:29 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mr85p00im-zteg06021501.me.com (mr85p00im-zteg06021501.me.com [17.58.23.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4V5mtD4WjTz4W1f for ; Fri, 29 Mar 2024 17:02:28 +0000 (UTC) (envelope-from gordon@tetlows.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tetlows.org header.s=sig1 header.b=VugeeS3F; dmarc=pass (policy=quarantine) header.from=tetlows.org; spf=pass (mx1.freebsd.org: domain of gordon@tetlows.org designates 17.58.23.183 as permitted sender) smtp.mailfrom=gordon@tetlows.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=sig1; t=1711731746; bh=xpv+R5NT2y62PBm76GYIaOB2fumC0qGEj5D57GbmGvU=; h=From:Content-Type:Mime-Version:Subject:Message-Id:Date:To; b=VugeeS3F1lY59xoaBupaaVw4h11GThpCMGaK42qsVP8LE3jpnL2L1nabmegSqDCxW 5adqlCKWJhsnn1BeVc+2bFmRJH+R0MtyfuyzvS5Cp3lC8cRBucZOTHSQLfsZtLa8+H dBwvXpmyxYsVxuuFlhzb9wAZzUz5ir/B+0nODpiINwpkFG+rIcgUn4aYc+pRnmJBrV 8/M5LMfBQDT0F32zrfVyOk791Y6C84Wnn+Nqoj1K3u45wJmlR7p8il5W9VMjHH7DSM IsTwTnLM046pXUc0X13PfJCHxE5m7K2hJybXYrTvzpVb4VOdKOvfk3or0elYZeoN0V s5QnjCfBZOUjw== Received: from smtpclient.apple (mr38p00im-dlb-asmtp-mailmevip.me.com [17.57.152.18]) by mr85p00im-zteg06021501.me.com (Postfix) with ESMTPSA id 00B7D2794528 for ; Fri, 29 Mar 2024 17:02:25 +0000 (UTC) From: Gordon Tetlow Content-Type: multipart/signed; boundary="Apple-Mail=_D510A1C2-04ED-405C-BD7F-1B69B0B800CB"; protocol="application/pgp-signature"; micalg=pgp-sha512 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\)) Subject: Disclosed backdoor in xz releases - FreeBSD not affected Message-Id: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org> Date: Fri, 29 Mar 2024 10:02:14 -0700 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.3774.400.31) X-Proofpoint-ORIG-GUID: eb5t0tjPjN5kOWqrKsM_EYyhZHa_Uxic X-Proofpoint-GUID: eb5t0tjPjN5kOWqrKsM_EYyhZHa_Uxic X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-29_13,2024-03-28_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 mlxscore=0 phishscore=0 malwarescore=0 spamscore=0 suspectscore=0 adultscore=0 mlxlogscore=752 clxscore=1030 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2403290151 X-Spamd-Bar: ------ X-Spamd-Result: default: False [-6.19 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.993]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; R_SPF_ALLOW(-0.20)[+ip4:17.58.0.0/16]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=sig1]; ONCE_RECEIVED(0.10)[]; RCVD_IN_DNSWL_LOW(-0.10)[17.58.23.183:from]; RWL_MAILSPIKE_GOOD(-0.10)[17.58.23.183:from]; DKIM_TRACE(0.00)[tetlows.org:+]; RCVD_TLS_ALL(0.00)[]; HAS_ATTACHMENT(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[gordon]; ARC_NA(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; APPLE_MAILER_COMMON(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:714, ipnet:17.58.16.0/20, country:US]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~] X-Rspamd-Queue-Id: 4V5mtD4WjTz4W1f --Apple-Mail=_D510A1C2-04ED-405C-BD7F-1B69B0B800CB Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii FreeBSD is not affected by the recently announced backdoor included in = the 5.6.0 and 5.6.1 xz releases. All supported FreeBSD releases include versions of xz that predate the = affected releases. The main, stable/14, and stable/13 branches do include the affected = version (5.6.0), but the backdoor components were excluded from the = vendor import. Additionally, FreeBSD does not use the upstream's build = tooling, which was a required part of the attack. Lastly, the attack = specifically targeted x86_64 Linux systems using glibc. The FreeBSD ports collection does not include xz/liblzma. Reference: https://www.openwall.com/lists/oss-security/2024/03/29/4 Best regards, Gordon Tetlow Hat: security-officer= --Apple-Mail=_D510A1C2-04ED-405C-BD7F-1B69B0B800CB Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmYG9BYACgkQ5fe8y6O9 3fiA6Qf/Y0LUoDzuUOc38MX4MkdulNP3BT1BXqbid7QgbetS/HswzsYumESiOtDh cO8kmSCw9tPuJZ2U0KjycxMRt9JbmxOShpZPFu/UW7HR1BbjkcZKijvVbprL/3QK FsUHO/4knFQnX2y/3XGtD87zZ4kvEBEn1claWcCoPsoSTgbBMjyUVKTqsW0hY5bn 05sx6K6TjMJwMyBr1NEKCyZLS2UWLobtdGFettW1vXObYI4Nr9ONHBg0VU4wMyO9 SEOjVcB2evCdmdxOuiOtPlwxiTBAOXPSU9M3a+w8qsdxW3mHxsFp3yb3qD7G2ZWA CCu/vxvUZvNAU0F+Ga2WKTBMTzV80A== =r6An -----END PGP SIGNATURE----- --Apple-Mail=_D510A1C2-04ED-405C-BD7F-1B69B0B800CB-- From nobody Fri Mar 29 18:15:55 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V5pW449bwz5FP0H for ; Fri, 29 Mar 2024 18:16:00 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V5pW42Vpfz4lTq for ; Fri, 29 Mar 2024 18:16:00 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Authentication-Results: mx1.freebsd.org; none Received: by mail-il1-x12d.google.com with SMTP id e9e14a558f8ab-36874406ac8so8968275ab.3 for ; Fri, 29 Mar 2024 11:16:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; t=1711736159; x=1712340959; darn=freebsd.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=sFy4NgMkTDNUow8bRw3rRG2KoI/fgdepdhPRNkiS+4Q=; b=V+9tuLCZX18QidTqNvoO0w+t+Gy+IVMa91A1+A9+3nzyGdQMPLX7YCoBz+PepizWA5 sWTEQ9SWZTBQDvvKi7LiY699dD6FsJ+RSWZRJhaaJk+6AV3eAjxa5JEXZLES5nqVLQ7N D1kRPAed6Sw1jLuAyeQQKUlQf+cfOxwRP7kKNj+8UK8MmQg8H3VEbqOXW1Dfo6Bf8ogf p7d0G+LiPwIm0+S4qvLb9FRkUu4ZBRtucOKMVKRv9LlNpWclGLim4C8pasaPmopGdQvY teqgmst1OR43GpmfWHcukuuZBXltBGrUQqlrJNHebdSw50blUL81wL9kU3LsJn96fSuv K9Ag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711736159; x=1712340959; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=sFy4NgMkTDNUow8bRw3rRG2KoI/fgdepdhPRNkiS+4Q=; b=ELD1fvs0Q2DZMSGTqhM/utdjctnjISJfH2SixqL8bt20Vr8YSkBZVEO1R/bum0cPwN LA9G63uLFlvrRF2U3m0dmSZyahFVmEwNt4fH9/MY/x5ZIkHFb3GMzzqwjdtbotnpFNBB OKHNrIp4prctJyekw3LmlYwVb8eQTwHczya+i3f3s8PdP2T1qCbdWwdrz4Q+ca2+INzs 5ViWgpLoQggsaEq1Kp/AOnD4yWqnYDdr93VwpDGraeWYi1uO4DRFJ6cAkE/gB1xMn3rk srzqjsaS12yZ58RNh9WtENlwKyN7gWb9p94cguikTLBIr3GsHA2B3KVUXhgFZbxjv2cC wcYg== X-Gm-Message-State: AOJu0YxPBfakmLyJqDoLsd4ftvXxbOucOxnZ5JtUZ9loWZCaFHk4YCTg +BrXqhiVVNPbmnMDzMGS5CyK2eUXHcNnoQLjGiYE7xzq2s/IkL2OybK3SG2GlTeZiDLCJzG1AlT l X-Google-Smtp-Source: AGHT+IH2sVnlexRR+gRlknVmaYVT+u/sb04pPiULJ9zi2xUe519Wi6NLJuhG8WQRtx9pzvFND6GI+A== X-Received: by 2002:a05:6e02:152d:b0:368:a16a:d924 with SMTP id i13-20020a056e02152d00b00368a16ad924mr3460201ilu.10.1711736159053; Fri, 29 Mar 2024 11:15:59 -0700 (PDT) Received: from mutt-hbsd (174-24-72-211.clsp.qwest.net. [174.24.72.211]) by smtp.gmail.com with ESMTPSA id j5-20020a056e02154500b003646ea50e5asm1242876ilu.57.2024.03.29.11.15.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Mar 2024 11:15:58 -0700 (PDT) Date: Fri, 29 Mar 2024 18:15:55 +0000 From: Shawn Webb To: Gordon Tetlow Cc: freebsd-security@freebsd.org Subject: Re: Disclosed backdoor in xz releases - FreeBSD not affected Message-ID: X-Operating-System: FreeBSD mutt-hbsd 15.0-CURRENT-HBSD FreeBSD 15.0-CURRENT-HBSD X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="tbqw4vnogsux722s" Content-Disposition: inline In-Reply-To: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org> X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4V5pW42Vpfz4lTq --tbqw4vnogsux722s Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 29, 2024 at 10:02:14AM -0700, Gordon Tetlow wrote: > FreeBSD is not affected by the recently announced backdoor included in th= e 5.6.0 and 5.6.1 xz releases. >=20 > All supported FreeBSD releases include versions of xz that predate the af= fected releases. >=20 > The main, stable/14, and stable/13 branches do include the affected versi= on (5.6.0), but the backdoor components were excluded from the vendor impor= t. Additionally, FreeBSD does not use the upstream's build tooling, which w= as a required part of the attack. Lastly, the attack specifically targeted = x86_64 Linux systems using glibc. Hey Gordon, Is there potential for Linux jails on FreeBSD systems (ie, deployments making use of the Linxulator) to be impacted? Assuming amd64 here, too. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --tbqw4vnogsux722s Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmYHBU0ACgkQ/y5nonf4 4frPkg/+MsaHaW/5Z0JdDM/KmEscvaYCvMEGz0OaVkrgDpBg2f08gt96QOGRk15i Vzr67y2mYcZCxwbUlIVeq54RjPbBE7+5j7z/x8+96uEphg7Nf5z+MLQI8jHlPDFY BPgScOrdThj7N1u0MgewyCca33kQ25eywTy9zUxKmSHmI069jAdxQQZV8u59vY8u hx8tRSdvOb29WZQdFLJnI6DoYU9EeJYPT1zOODLALN0hHwIQdSIOnQMGkwNxsztW 7u3rPBke9/wKTljfjxW9Kw/rjbb1BDSLYCs0UDzQb7C3p36mWkkFmWSeDaVOuFfH cNJEuD0kyU/Clib4V7/8yn0FjD93mNdG/YnPm4ko2PdY7wi3XM3EDLHK4Y+009F6 oV9t6Vi6sWlcQUj4NUI+X2X3CP8pQ97I+TfBPx7WDF5gNzwupRfvV4UOSlk1G7TB cl/zFS36EFr22uNuixPXsGSn/vBTgIcOf8QsFX5HtZBAVZwIOLV9XwEYEt4lKhC6 U/0pA4MmDDQ91gA49cPCqo8SxvFBY/n7uHjZOsqOCOazj7qW/Z9aX3+WM6dXdJlQ +wYzOh0ckwc4pZ6WGjArg/+QSjSpG6922kbXjWSRfuWtV5cEqV9JL9pRD30rVyBF rhu/Up4KzrEsh+JgSLupFs2svt+/lbNMNkBlPpV5HsJXwCM9d5k= =n0dI -----END PGP SIGNATURE----- --tbqw4vnogsux722s-- From nobody Fri Mar 29 18:22:52 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V5pg271m5z5FPZ7 for ; Fri, 29 Mar 2024 18:22:54 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V5pg20lNzz4nCQ; Fri, 29 Mar 2024 18:22:54 +0000 (UTC) (envelope-from mike@sentex.net) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.17.1/8.16.1) with ESMTPS id 42TIMqRA084504 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL); Fri, 29 Mar 2024 14:22:52 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4:8d9b:a5a7:8d2f:37e5] ([IPv6:2607:f3e0:0:4:8d9b:a5a7:8d2f:37e5]) by pyroxene2a.sentex.ca (8.17.1/8.15.2) with ESMTPS id 42TIMpP6069401 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Fri, 29 Mar 2024 14:22:51 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <23a8dfb7-5d48-4473-970b-e8021f79fc38@sentex.net> Date: Fri, 29 Mar 2024 14:22:52 -0400 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: "freebsd-security@freebsd.org" From: mike tancsa Subject: xz security issue ? (CVE-2024-3094) Autocrypt: addr=mike@sentex.net; keydata= xsBNBFywzOMBCACoNFpwi5MeyEREiCeHtbm6pZJI/HnO+wXdCAWtZkS49weOoVyUj5BEXRZP xflV2ib2hflX4nXqhenaNiia4iaZ9ft3I1ebd7GEbGnsWCvAnob5MvDZyStDAuRxPJK1ya/s +6rOvr+eQiXYNVvfBhrCfrtR/esSkitBGxhUkBjOti8QwzD71JVF5YaOjBAs7jZUKyLGj0kW yDg4jUndudWU7G2yc9GwpHJ9aRSUN8e/mWdIogK0v+QBHfv/dsI6zVB7YuxCC9Fx8WPwfhDH VZC4kdYCQWKXrm7yb4TiVdBh5kgvlO9q3js1yYdfR1x8mjK2bH2RSv4bV3zkNmsDCIxjABEB AAHNHW1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5uZXQ+wsCOBBMBCAA4FiEEmuvCXT0aY6hs 4SbWeVOEFl5WrMgFAl+pQfkCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQeVOEFl5W rMiN6ggAk3H5vk8QnbvGbb4sinxZt/wDetgk0AOR9NRmtTnPaW+sIJEfGBOz47Xih+f7uWJS j+uvc9Ewn2Z7n8z3ZHJlLAByLVLtcNXGoRIGJ27tevfOaNqgJHBPbFOcXCBBFTx4MYMM4iAZ cDT5vsBTSaM36JZFtHZBKkuFEItbA/N8ZQSHKdTYMIA7A3OCLGbJBqloQ8SlW4MkTzKX4u7R yefAYQ0h20x9IqC5Ju8IsYRFacVZconT16KS81IBceO42vXTN0VexbVF2rZIx3v/NT75r6Vw 0FlXVB1lXOHKydRA2NeleS4NEG2vWqy/9Boj0itMfNDlOhkrA/0DcCurMpnpbM7ATQRcsMzk AQgA1Dpo/xWS66MaOJLwA28sKNMwkEk1Yjs+okOXDOu1F+0qvgE8sVmrOOPvvWr4axtKRSG1 t2QUiZ/ZkW/x/+t0nrM39EANV1VncuQZ1ceIiwTJFqGZQ8kb0+BNkwuNVFHRgXm1qzAJweEt RdsCMohB+H7BL5LGCVG5JaU0lqFU9pFP40HxEbyzxjsZgSE8LwkI6wcu0BLv6K6cLm0EiHPO l5G8kgRi38PS7/6s3R8QDsEtbGsYy6O82k3zSLIjuDBwA9GRaeigGppTxzAHVjf5o9KKu4O7 gC2KKVHPegbXS+GK7DU0fjzX57H5bZ6komE5eY4p3oWT/CwVPSGfPs8jOwARAQABwsB2BBgB CAAgFiEEmuvCXT0aY6hs4SbWeVOEFl5WrMgFAl+pQfkCGwwACgkQeVOEFl5WrMiVqwf9GwU8 c6cylknZX8QwlsVudTC8xr/L17JA84wf03k3d4wxP7bqy5AYy7jboZMbgWXngAE/HPQU95NM aukysSnknzoIpC96XZJ0okLBXVS6Y0ylZQ+HrbIhMpuQPoDweoF5F9wKrsHRoDaUK1VR706X rwm4HUzh7Jk+auuMYfuCh0FVlFBEuiJWMLhg/5WCmcRfiuB6F59ZcUQrwLEZeNhF2XJV4KwB Tlg7HCWO/sy1foE5noaMyACjAtAQE9p5kGYaj+DuRhPdWUTsHNuqrhikzIZd2rrcMid+ktb0 NvtvswzMO059z1YGMtGSqQ4srCArju+XHIdTFdiIYbd7+jeehg== Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.86 X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.29 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.90)[-0.896]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; RCVD_IN_DNSWL_LOW(-0.10)[199.212.134.19:received]; MIME_GOOD(-0.10)[text/plain]; XM_UA_NO_VERSION(0.01)[]; RCPT_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; MIME_TRACE(0.00)[0:+]; FREEFALL_USER(0.00)[mike]; ARC_NA(0.00)[]; RCVD_TLS_ALL(0.00)[]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_EQ_ADDR_ALL(0.00)[]; DMARC_NA(0.00)[sentex.net]; SUBJECT_HAS_QUESTION(0.00)[] X-Rspamd-Queue-Id: 4V5pg20lNzz4nCQ From the redhat advisory, What is the malicious code? The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present. The resulting malicious build interferes with authentication in sshd via systemd.  SSH is a commonly used protocol for connecting remotely to systems, and sshd is the service that allows access. Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely. Is there any exposure to this on FreeBSD ?     ---Mike From nobody Fri Mar 29 18:31:26 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V5prv01hQz5FQy9 for ; Fri, 29 Mar 2024 18:31:27 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V5prt3z8Yz4pVm for ; Fri, 29 Mar 2024 18:31:26 +0000 (UTC) (envelope-from mike@sentex.net) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.17.1/8.16.1) with ESMTPS id 42TIVR8U085090 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL) for ; Fri, 29 Mar 2024 14:31:27 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4:8d9b:a5a7:8d2f:37e5] ([IPv6:2607:f3e0:0:4:8d9b:a5a7:8d2f:37e5]) by pyroxene2a.sentex.ca (8.17.1/8.15.2) with ESMTPS id 42TIVPSx070170 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Fri, 29 Mar 2024 14:31:25 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: Date: Fri, 29 Mar 2024 14:31:26 -0400 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: xz security issue ? (CVE-2024-3094) From: mike tancsa To: "freebsd-security@freebsd.org" References: <23a8dfb7-5d48-4473-970b-e8021f79fc38@sentex.net> Content-Language: en-US Autocrypt: addr=mike@sentex.net; keydata= xsBNBFywzOMBCACoNFpwi5MeyEREiCeHtbm6pZJI/HnO+wXdCAWtZkS49weOoVyUj5BEXRZP xflV2ib2hflX4nXqhenaNiia4iaZ9ft3I1ebd7GEbGnsWCvAnob5MvDZyStDAuRxPJK1ya/s +6rOvr+eQiXYNVvfBhrCfrtR/esSkitBGxhUkBjOti8QwzD71JVF5YaOjBAs7jZUKyLGj0kW yDg4jUndudWU7G2yc9GwpHJ9aRSUN8e/mWdIogK0v+QBHfv/dsI6zVB7YuxCC9Fx8WPwfhDH VZC4kdYCQWKXrm7yb4TiVdBh5kgvlO9q3js1yYdfR1x8mjK2bH2RSv4bV3zkNmsDCIxjABEB AAHNHW1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5uZXQ+wsCOBBMBCAA4FiEEmuvCXT0aY6hs 4SbWeVOEFl5WrMgFAl+pQfkCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQeVOEFl5W rMiN6ggAk3H5vk8QnbvGbb4sinxZt/wDetgk0AOR9NRmtTnPaW+sIJEfGBOz47Xih+f7uWJS j+uvc9Ewn2Z7n8z3ZHJlLAByLVLtcNXGoRIGJ27tevfOaNqgJHBPbFOcXCBBFTx4MYMM4iAZ cDT5vsBTSaM36JZFtHZBKkuFEItbA/N8ZQSHKdTYMIA7A3OCLGbJBqloQ8SlW4MkTzKX4u7R yefAYQ0h20x9IqC5Ju8IsYRFacVZconT16KS81IBceO42vXTN0VexbVF2rZIx3v/NT75r6Vw 0FlXVB1lXOHKydRA2NeleS4NEG2vWqy/9Boj0itMfNDlOhkrA/0DcCurMpnpbM7ATQRcsMzk AQgA1Dpo/xWS66MaOJLwA28sKNMwkEk1Yjs+okOXDOu1F+0qvgE8sVmrOOPvvWr4axtKRSG1 t2QUiZ/ZkW/x/+t0nrM39EANV1VncuQZ1ceIiwTJFqGZQ8kb0+BNkwuNVFHRgXm1qzAJweEt RdsCMohB+H7BL5LGCVG5JaU0lqFU9pFP40HxEbyzxjsZgSE8LwkI6wcu0BLv6K6cLm0EiHPO l5G8kgRi38PS7/6s3R8QDsEtbGsYy6O82k3zSLIjuDBwA9GRaeigGppTxzAHVjf5o9KKu4O7 gC2KKVHPegbXS+GK7DU0fjzX57H5bZ6komE5eY4p3oWT/CwVPSGfPs8jOwARAQABwsB2BBgB CAAgFiEEmuvCXT0aY6hs4SbWeVOEFl5WrMgFAl+pQfkCGwwACgkQeVOEFl5WrMiVqwf9GwU8 c6cylknZX8QwlsVudTC8xr/L17JA84wf03k3d4wxP7bqy5AYy7jboZMbgWXngAE/HPQU95NM aukysSnknzoIpC96XZJ0okLBXVS6Y0ylZQ+HrbIhMpuQPoDweoF5F9wKrsHRoDaUK1VR706X rwm4HUzh7Jk+auuMYfuCh0FVlFBEuiJWMLhg/5WCmcRfiuB6F59ZcUQrwLEZeNhF2XJV4KwB Tlg7HCWO/sy1foE5noaMyACjAtAQE9p5kGYaj+DuRhPdWUTsHNuqrhikzIZd2rrcMid+ktb0 NvtvswzMO059z1YGMtGSqQ4srCArju+XHIdTFdiIYbd7+jeehg== In-Reply-To: <23a8dfb7-5d48-4473-970b-e8021f79fc38@sentex.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.86 X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.31 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; NEURAL_HAM_SHORT(-0.92)[-0.924]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[199.212.134.19:received]; XM_UA_NO_VERSION(0.01)[]; RCVD_TLS_ALL(0.00)[]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; FREEFALL_USER(0.00)[mike]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[sentex.net]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; R_DKIM_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_EQ_ADDR_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; SUBJECT_HAS_QUESTION(0.00)[] X-Rspamd-Queue-Id: 4V5prt3z8Yz4pVm Oh, I didnt see the earlier email for some reason. Thanks Gordon for the email clarification!     ---Mike On 3/29/2024 2:22 PM, mike tancsa wrote: > From the redhat advisory, > > What is the malicious code? > The malicious injection present in the xz versions 5.6.0 and 5.6.1 > libraries is obfuscated and only included in full in the download > package - the Git distribution lacks the M4 macro that triggers the > build of the malicious code. The second-stage artifacts are present in > the Git repository for the injection during the build time, in case > the malicious M4 macro is present. > > The resulting malicious build interferes with authentication in sshd > via systemd.  SSH is a commonly used protocol for connecting remotely > to systems, and sshd is the service that allows access. Under the > right circumstances this interference could potentially enable a > malicious actor to break sshd authentication and gain unauthorized > access to the entire system remotely. > > Is there any exposure to this on FreeBSD ? > >     ---Mike > > From nobody Fri Mar 29 18:43:48 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V5q7R0y2dz5FS6Z for ; Fri, 29 Mar 2024 18:44:03 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from pv50p00im-ztbu10011701.me.com (pv50p00im-ztbu10011701.me.com [17.58.6.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4V5q7Q6FjKz4sJj for ; Fri, 29 Mar 2024 18:44:02 +0000 (UTC) (envelope-from gordon@tetlows.org) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=sig1; t=1711737841; bh=pkFmDuEFKJJSCTbGixvTerOBA3OMxqP0AVft9dyvofo=; h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To; b=ZiMkEBkaGyMBueV1q/0FnrOl378QT+eKX2HR4aDLY+4CpW9z2PzemxCxuFzavYa4T JCNq2DVbd4tyGilME6CKs1SKyuLA0GZDW9yYR1UEnmUpeXTisPhHarN/oAjRCtMDnP R6uzmSF6gBXkg5vTusKKoWj5N8NnYahwP3Yi5Ib+uTFHZZnHnszBY/OuTo8BFbpHFe SwpLoTHX6ngbGSugBQeG9jt17CdOhD1ILnYjft6dPBO+RVy+IHOCfyiCZvz4j4dHC/ gD7g+du6Jcbm7XZw9v/4Lfc8LbEk4pJG4jir/4FSWybom4+jfY+wm4nB0VrIrMhBei ma/YiXO2Y0RZg== Received: from smtpclient.apple (pv50p00im-dlb-asmtp-mailmevip.me.com [17.56.9.10]) by pv50p00im-ztbu10011701.me.com (Postfix) with ESMTPSA id 5919C7401FF; Fri, 29 Mar 2024 18:44:00 +0000 (UTC) Content-Type: multipart/signed; boundary="Apple-Mail=_E21D4664-2E19-4986-B23D-7F434F4FB850"; protocol="application/pgp-signature"; micalg=pgp-sha512 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\)) Subject: Re: Disclosed backdoor in xz releases - FreeBSD not affected From: Gordon Tetlow In-Reply-To: Date: Fri, 29 Mar 2024 11:43:48 -0700 Cc: freebsd-security@freebsd.org Message-Id: References: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org> To: Shawn Webb X-Mailer: Apple Mail (2.3774.400.31) X-Proofpoint-ORIG-GUID: n5Y4X-gVJE0q9T0VR1kaQTZi_X4UzbiI X-Proofpoint-GUID: n5Y4X-gVJE0q9T0VR1kaQTZi_X4UzbiI X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-29_13,2024-03-28_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 clxscore=1030 suspectscore=0 mlxscore=0 spamscore=0 phishscore=0 malwarescore=0 bulkscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2403290167 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:714, ipnet:17.58.0.0/20, country:US] X-Rspamd-Queue-Id: 4V5q7Q6FjKz4sJj --Apple-Mail=_E21D4664-2E19-4986-B23D-7F434F4FB850 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Mar 29, 2024, at 11:15=E2=80=AFAM, Shawn Webb = wrote: >=20 > On Fri, Mar 29, 2024 at 10:02:14AM -0700, Gordon Tetlow wrote: >> FreeBSD is not affected by the recently announced backdoor included = in the 5.6.0 and 5.6.1 xz releases. >>=20 >> All supported FreeBSD releases include versions of xz that predate = the affected releases. >>=20 >> The main, stable/14, and stable/13 branches do include the affected = version (5.6.0), but the backdoor components were excluded from the = vendor import. Additionally, FreeBSD does not use the upstream's build = tooling, which was a required part of the attack. Lastly, the attack = specifically targeted x86_64 Linux systems using glibc. >=20 > Hey Gordon, >=20 > Is there potential for Linux jails on FreeBSD systems (ie, deployments > making use of the Linxulator) to be impacted? Assuming amd64 here, > too. Hard to say for certain, but I suspect the answer is yes. If the jail = has the vulnerable software installed, there is a decent chance it would = be affected. At that point, I would refer to the vulnerability statement = published by the Linux distro the jail is based on. I don=E2=80=99t = believe the vulnerability has any kernel dependencies that FreeBSD would = provide protection. Certainly, in the world of being conservatively cautious, I would = immediately address any such Linux jails. Gordon= --Apple-Mail=_E21D4664-2E19-4986-B23D-7F434F4FB850 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmYHC+QACgkQ5fe8y6O9 3fgcIAf+K4raQimnBh0/A9Dds+6eGVShohcAAyPUCFy0B1sSvbmz2S4X1LE6aSmf P+h1zsbxxqUwOeWbPdRLHFeqRyO6zK3Y72S5w0o/EuFvGbTi00hIOZcut1tIcfEc XhWWcUjQYJ0FWBtqwxO/Ukl1epqjOA2KqJplKJ/r9f8gFcOAK/A6EOXeEqud2Knm MNQcSEzZdbX+g8tM4HOENDgRVYbClPy73XK203rsLWDJtO75CtJ9FDWKfJG/TR0n Pd149zG92TEg23AVZLGas7ABGXbhdO/7tYg5qZ+iQkG6PgAiguJE+zswfu09QE4Q BQcsL/TcDzPv29tpNaAnMa1QoNFskg== =R74j -----END PGP SIGNATURE----- --Apple-Mail=_E21D4664-2E19-4986-B23D-7F434F4FB850-- From nobody Fri Mar 29 23:47:51 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V5xtF529Yz5FYXS for ; Fri, 29 Mar 2024 23:48:05 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-vk1-f170.google.com (mail-vk1-f170.google.com [209.85.221.170]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V5xtF0MCQz4Xj6; Fri, 29 Mar 2024 23:48:05 +0000 (UTC) (envelope-from asomers@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=freebsd.org (policy=none); spf=pass (mx1.freebsd.org: domain of asomers@gmail.com designates 209.85.221.170 as permitted sender) smtp.mailfrom=asomers@gmail.com Received: by mail-vk1-f170.google.com with SMTP id 71dfb90a1353d-4d47000f875so929258e0c.2; Fri, 29 Mar 2024 16:48:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711756083; x=1712360883; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Lxym8R2SAtLtvea+zQRZz6IVqe9svRHWYEa1NOqSbbo=; b=vQf+YP70Fk+gCOtRTOxVWvSKlCwL/CMu8hro1VkNPT2a6vnN/vZ5oz1aSBmf9q+PHO dftBmMpeMUSdP9F6ZzN2xWbIhbG2k2CVbUcZHcip5Sn16csYgvaJkK3ZhtHyz2JCijXi Ty7LMPnEQrEJSnC2EU/lenQOjn/NTTbMWYF6jrt+7SieBLyDMmtb9jtEW+TgAnxUYrac 8lj4pdU2CuyYbXfzGnSNibszdlk4+ZwwNFWqyxANpfygEk6koEVyINLSGhonoFy4g+pF 20c0VKf0D5ncJ1ORplYCjHw/8D1KYqwVIcZIuyIS8SdbR0k42/mxfq5o5XAwunwdBNh6 ogqg== X-Gm-Message-State: AOJu0YzsMl0KbZykZnXuH+bZ+0kLtZYm5SNhnZmhFzKoErsM3pXwyrdL 6gyHH3VZS9xQxWcK7o8q+wZNdhkUCI6RDVhyjANoF9pmmHve4KvxWx9EOqL2EstEVtcmPnEZFIT GuQ7KT+8RtWosw+cFmR6F/5xX+Kt5wpnpmRI= X-Google-Smtp-Source: AGHT+IEUAqRAu5XhmhIjNZ2daNMhjO0zkPeV209y+zq4RBmqQiAZpncDKaKG2+or7f27/jlNpCDSp0zpaGrMfuKNDCU= X-Received: by 2002:a05:6102:11ef:b0:478:428e:a9bd with SMTP id e15-20020a05610211ef00b00478428ea9bdmr3023891vsg.33.1711756083080; Fri, 29 Mar 2024 16:48:03 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 From: Alan Somers Date: Fri, 29 Mar 2024 17:47:51 -0600 Message-ID: Subject: Backdoor in xz 5.6.0 To: freebsd-security Cc: Xin Li Content-Type: text/plain; charset="UTF-8" X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.78 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-0.98)[-0.982]; NEURAL_HAM_SHORT(-0.90)[-0.897]; FORGED_SENDER(0.30)[asomers@freebsd.org,asomers@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; MIME_GOOD(-0.10)[text/plain]; DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : SPF not aligned (relaxed), No valid DKIM,none]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FREEFALL_USER(0.00)[asomers]; MISSING_XM_UA(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_ONE(0.00)[1]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.221.170:from]; RCPT_COUNT_TWO(0.00)[2]; R_DKIM_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[asomers@freebsd.org,asomers@gmail.com]; FROM_HAS_DN(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[209.85.221.170:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_DN_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; ARC_NA(0.00)[] X-Rspamd-Queue-Id: 4V5xtF0MCQz4Xj6 A malicious developer added a backdoor to xz 5.6.0 and 5.6.1, and snuck it into Fedora builds. That's the same version that FreeBSD CURRENT uses. For multiple reasons we aren't vulnerable (the malicious code isn't included in xz's git repo, only its dist tarballs, the malicious code is only triggered on x86_64 linux in an rpm or deb build, and the malicious code resides in a .m4 file which our build process doesn't use). But upstream considers all of 5.6.0 to be untrustworthy and recommends that everyone to 5.4.5. summary: https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ details: https://www.openwall.com/lists/oss-security/2024/03/29/4 From nobody Sat Mar 30 00:12:00 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V5yPt528gz5FcDB for ; Sat, 30 Mar 2024 00:12:02 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V5yPt3Hkvz4bql for ; Sat, 30 Mar 2024 00:12:02 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Authentication-Results: mx1.freebsd.org; none Received: by mail-io1-xd29.google.com with SMTP id ca18e2360f4ac-7d0377850aaso104142539f.3 for ; Fri, 29 Mar 2024 17:12:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; t=1711757521; x=1712362321; darn=freebsd.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=xn+Md8OloMPUxedQIyNdEL7YaVe2+4CN+uuV8TdRWgs=; b=Nx840rJHCef4bou32rgQc2V5LaQlF4icPiXJvpTyXeURbhiGk1BMf+bg1y+JHnqVI3 bkcJcwjLjwCmmfHGsnmlh0VktKcbMeadlq1A7T94PJe1kDiuM8yCytHreL+gk63C1fKf SK8xb3WreGrrCqBfUUbboe1I+P5fO2XxKTSJ/zgvPDS1HbUPwAVJ8Kno0E6Z6RFpWcT/ GY821Ito8WmAH1mhVlUS2ivYiiXAR1ukRXDCA1yzpawwv8gw0vswHlO7HmveCikc0nSQ kAf02MYjn2emunQ2NV0MjvfTQcK0GY1DJ3mxi2OqPki8s17GcEjD0Amdb0uNT0jbCpKe QbJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711757521; x=1712362321; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=xn+Md8OloMPUxedQIyNdEL7YaVe2+4CN+uuV8TdRWgs=; b=ICfLOV7dE7cRQE/rbrGUF47IGv/+x+/YnPI6KElCiTwi4SGnhvFiXqtCy1m7Y35/62 Ydpnl8cw5NNwqno79l0VHfBLoLbfp39FqdgyovwgLCwPZZ3cz60iwgAvqz2nSLvy18C5 STjfMME0YY8mkl3AZ4JDfETirOxDbpbgRGPxIkktBv4K5OU3ejP/J/C8cny6CvZeITNV ySQu1Bz9ISLY5QgjjFklwKaZEazq398rox0inFkAfVE64+ct2srBqvGSXm2RkAiIri1L PjfQc2UO4a/3fcGg2jK4HGcMRwHncar7uMzI5LR9tHfWNiQSri8Qrlr1g1R7BDqXRaB4 RRsw== X-Gm-Message-State: AOJu0YzZUzbamMFbt0pupVgH3pjFzQgwhZyPdvOkRYysJ2aKIUG00yR8 z5NrRCrAGcWf9DbFIuRxb9qpNChErgdMaoDDIDWMVQauVzyioqxkwnANvPfVud1R9B3DmpdI1fk M X-Google-Smtp-Source: AGHT+IGvFLB/FOr77PHRwqHcTZ6fuu+5n//sRZD5tM18l9vJM4Yg6DtKCATmdGxrGj1zok3t5nlxQw== X-Received: by 2002:a05:6602:2be1:b0:7cf:2255:dd1d with SMTP id d1-20020a0566022be100b007cf2255dd1dmr3644507ioy.17.1711757521441; Fri, 29 Mar 2024 17:12:01 -0700 (PDT) Received: from mutt-hbsd (174-24-72-211.clsp.qwest.net. [174.24.72.211]) by smtp.gmail.com with ESMTPSA id o11-20020a02b80b000000b0047be410bcc5sm1282449jam.27.2024.03.29.17.12.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Mar 2024 17:12:00 -0700 (PDT) Date: Sat, 30 Mar 2024 00:12:00 +0000 From: Shawn Webb To: Alan Somers Cc: freebsd-security , Xin Li Subject: Re: Backdoor in xz 5.6.0 Message-ID: X-Operating-System: FreeBSD mutt-hbsd 15.0-CURRENT-HBSD FreeBSD 15.0-CURRENT-HBSD X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="gv3ejimxjmub7ohv" Content-Disposition: inline In-Reply-To: X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4V5yPt3Hkvz4bql --gv3ejimxjmub7ohv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 29, 2024 at 05:47:51PM -0600, Alan Somers wrote: > A malicious developer added a backdoor to xz 5.6.0 and 5.6.1, and > snuck it into Fedora builds. That's the same version that FreeBSD > CURRENT uses. For multiple reasons we aren't vulnerable (the > malicious code isn't included in xz's git repo, only its dist > tarballs, the malicious code is only triggered on x86_64 linux in an > rpm or deb build, and the malicious code resides in a .m4 file which > our build process doesn't use). But upstream considers all of 5.6.0 > to be untrustworthy and recommends that everyone to 5.4.5. I haven't seen any statement by upstream (the Tukaani project), yet. The bad actor has enjoyed a maintainership role for the xz project for at least one-and-a-half years (since 2022). We might experience another "OpenSSL Heartbleed" reactionary moment whereby the entire project is audited. Until then, some folks would not consider it over-reactionary to distrust any work since the bad actor started contributing. This would apply to other projects the bad actor contributed to as well, like libarchive. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --gv3ejimxjmub7ohv Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmYHWMkACgkQ/y5nonf4 4foieg/+LHex7puyS+CTlKuP1mXMtR20pyJmhSt0yQ97FXLy2xR4+FcIXGME9Wes 1DgFEHhkSBkIw67+y/p1sqlYWzHvzDK3QbTcSei6wGOrS3ouFdWE8EnpFmOzea5z BSqPuTxRGNtBkG4/ZnD0Jt2JpAGY2cmIJZljHyQo8tFl6lHCIEhzcXwVpb2cnVYL M5GC2DUwgZfBmoG/6l5qn3fKW5chfF4rkggqP2EsUIpUnA8948LSvyGuD3A6kscR XcT7gxXFLEiBjx3+nwDGYsq1nS4nPHcGyg37ArJWPnUoT0zvSjdK7RFnPwoeuKER dbozWAVljcznJDabT0cdiHiSU4+s/RVIB2NY2rRCxi0v5gODLnTRZxZocYdFgbyo TTVp52AezcnxcdYL059bbEWXLADpp9X0ioL5JX1wwHhTv71+9JJwQ+sBMkHsm4x0 MtelHNWTDCv0/G7cdgSLraNT+/x/0WwQ+uNQp+0lPIgJ5hA+M2/LJUe0mx1sFR7/ +6LBb585s9BJ2B6UPk/cszdJbB5oYuHoL6gM3+Psk8YvaeNV0CKIViUfWZRLZVS9 BQS0sU6JyL48OL3trR9Z/DAW4wUWOWmW1iwaoBTJUZ6MxETY+04/LU2twJIEIfNe Gi4qq2fBvbo3eDmGW7+O564iCpPT8SZl89RnUF7l24Mzrb3MKF4= =HiTF -----END PGP SIGNATURE----- --gv3ejimxjmub7ohv-- From nobody Sat Mar 30 18:43:36 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V6R4Z2xk3z5GCGv for ; Sat, 30 Mar 2024 18:43:42 +0000 (UTC) (envelope-from freebsd@chroot.pl) Received: from mail.apsz.com.pl (mail.apsz.com.pl [212.127.95.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4V6R4X44wVz4XyW for ; Sat, 30 Mar 2024 18:43:40 +0000 (UTC) (envelope-from freebsd@chroot.pl) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=chroot.pl header.s=mail header.b="xV2JB/kW"; dmarc=pass (policy=reject) header.from=chroot.pl; spf=pass (mx1.freebsd.org: domain of freebsd@chroot.pl designates 212.127.95.242 as permitted sender) smtp.mailfrom=freebsd@chroot.pl Received: from chroot.pl (89-72-73-3.dynamic.chello.pl [89.72.73.3]) by mail.apsz.com.pl (Postfix) with ESMTPS id 2E3B6FE61A for ; Sat, 30 Mar 2024 19:43:39 +0100 (CET) Message-ID: <7d72e73d-6e7a-412e-b758-33507abfc3aa@chroot.pl> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=chroot.pl; s=mail; t=1711824218; bh=R2aBt/hObpeBWHvtuoKTbqCz6iLXS8ednLjXDFq1Fbc=; h=Date:From:Subject:To:References:In-Reply-To; b=xV2JB/kWmoFPz+4W/BrJOBr9peVdUdmMwHMHRsCZU2VUwZTfAWvMsf8iIfLSP8RUe vqeMIxBOU24GzpaL6qom6zuIDY/IaHS7fllPjkbeqKO3NqMaNLtWSblqyYw3j+6JZa hdkHT4owvTaR1kTmILc9qupme7gq4NryGRdfYg9yOZDNLEaw4qrH0e8VNICRPRCJjQ kxxgdUbGB55VDsBJ46fSZHuIY4f/Na/bwtYfGxOu0ymwdfYwSimGIVni13uJZNqEtD jnKw9AtxZKw47W6ewQxFvWhetNHw8yq6VErIb0HAgewNjmfc2bmbV5GzvlNU76Qxri stPRZEAmIY1oA== Date: Sat, 30 Mar 2024 19:43:36 +0100 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: FreeBSD Subject: Re: Backdoor in xz 5.6.0 To: freebsd-security@freebsd.org References: Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-95.9 required=4.0 tests=BAYES_50,KHOP_HELO_FCRDNS, NO_FM_NAME_IP_HOSTN,PDS_RDNS_DYNAMIC_FP,RDNS_DYNAMIC, USER_IN_WELCOMELIST autolearn=no autolearn_force=no version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on mail.apsz.com.pl X-Virus-Scanned: clamav-milter 1.3.0 at mail.apsz.com.pl X-Virus-Status: Clean X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.88 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.89)[-0.892]; DMARC_POLICY_ALLOW(-0.50)[chroot.pl,reject]; R_SPF_ALLOW(-0.20)[+ip4:212.127.95.242]; R_DKIM_ALLOW(-0.20)[chroot.pl:s=mail]; MIME_GOOD(-0.10)[text/plain]; XM_UA_NO_VERSION(0.01)[]; ASN(0.00)[asn:35179, ipnet:212.127.88.0/21, country:PL]; RCVD_COUNT_ONE(0.00)[1]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[chroot.pl:+] X-Rspamd-Queue-Id: 4V6R4X44wVz4XyW Hi all, regarding xz… have you seen this? https://github.com/libarchive/libarchive/pull/1609 regards On 3/30/24 00:47, Alan Somers wrote: > A malicious developer added a backdoor to xz 5.6.0 and 5.6.1, and > snuck it into Fedora builds. That's the same version that FreeBSD > CURRENT uses. For multiple reasons we aren't vulnerable (the > malicious code isn't included in xz's git repo, only its dist > tarballs, the malicious code is only triggered on x86_64 linux in an > rpm or deb build, and the malicious code resides in a .m4 file which > our build process doesn't use). But upstream considers all of 5.6.0 > to be untrustworthy and recommends that everyone to 5.4.5. > > summary: https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ > details: https://www.openwall.com/lists/oss-security/2024/03/29/4 >