Date: Mon, 01 Apr 2024 13:04:27 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@FreeBSD.org> To: "Patrick M. Hausen" <hausen@punkt.de> Cc: Freebsd Stable <freebsd-stable@freebsd.org>, "henrichhartzer@tuta.io" <henrichhartzer@tuta.io>, Jonathan Vasquez <jon@xyinn.org> Subject: Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well Message-ID: <86jzlh9wec.fsf@ltc.des.dev> In-Reply-To: <02919DCB-5778-47C3-8754-249F76596928@punkt.de> (Patrick M. Hausen's message of "Sat, 30 Mar 2024 22:31:00 %2B0000") References: <NuBvLSh--3-9@tuta.io> <WSRHEPLzq0oUN8lQ4GAgVaWmeVkSD2UpN7y96L-am-aQs3R3bjp7PbWvB9A9cE8f3EKrZOlShQ_TC66G-yzWk9FI0PXdkVOHIHofJ9sw6jA=@xyinn.org> <02919DCB-5778-47C3-8754-249F76596928@punkt.de>
next in thread | previous in thread | raw e-mail | index | archive | help
"Patrick M. Hausen" <hausen@punkt.de> writes: > 4. FreeBSD is - to my knowledge - not susceptible to this attack because= our sshd > is not linked to the compromised library at all. That's not sufficient. The attack payload is a binary blob and has not been fully analyzed; it could have other effects which haven't yet been discovered. However, FreeBSD is not vulnerable because the version of xz included in FreeBSD includes neither the attack payload nor the trojaned build script which injects the payload into the library. > 5. Even if you installed a supposedly compromised xz from ports, there ar= e probably > no ill consequences. We don't have an xz or liblzma port. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86jzlh9wec.fsf>