Date: Thu, 4 Apr 2024 01:14:52 -0500 From: Kyle Evans <kevans@FreeBSD.org> To: FreeBSD User <freebsd@walstatt-de.de>, FreeBSD CURRENT <freebsd-current@freebsd.org>, freebsd-security@freebsd.org Subject: Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1 Message-ID: <f0f63907-ffb4-4aa9-809c-c68c090e8364@FreeBSD.org> In-Reply-To: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de> References: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/4/24 00:49, FreeBSD User wrote: > Hello, > > I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094 > > FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow me > to judge wether the described exploit mechanism also works on FreeBSD. > RedHat already sent out a warning, the workaround is to move back towards an older variant. > > I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in private), > so I would like to welcome any comment on that. > > Thanks in advance, > > O. Hartmann > > See so@'s answer from a couple days ago: https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html TL;DR no Thanks, Kyle Evans
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f0f63907-ffb4-4aa9-809c-c68c090e8364>