Date: Fri, 29 Mar 2024 18:15:55 +0000 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Gordon Tetlow <gordon@tetlows.org> Cc: freebsd-security@freebsd.org Subject: Re: Disclosed backdoor in xz releases - FreeBSD not affected Message-ID: <xeiec7rsjjd4sztlxztka4f5uopea3sqpm6jb6jalrxsraogrm@zpnprx5pg72c> In-Reply-To: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org> References: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--tbqw4vnogsux722s Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 29, 2024 at 10:02:14AM -0700, Gordon Tetlow wrote: > FreeBSD is not affected by the recently announced backdoor included in th= e 5.6.0 and 5.6.1 xz releases. >=20 > All supported FreeBSD releases include versions of xz that predate the af= fected releases. >=20 > The main, stable/14, and stable/13 branches do include the affected versi= on (5.6.0), but the backdoor components were excluded from the vendor impor= t. Additionally, FreeBSD does not use the upstream's build tooling, which w= as a required part of the attack. Lastly, the attack specifically targeted = x86_64 Linux systems using glibc. Hey Gordon, Is there potential for Linux jails on FreeBSD systems (ie, deployments making use of the Linxulator) to be impacted? Assuming amd64 here, too. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --tbqw4vnogsux722s Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmYHBU0ACgkQ/y5nonf4 4frPkg/+MsaHaW/5Z0JdDM/KmEscvaYCvMEGz0OaVkrgDpBg2f08gt96QOGRk15i Vzr67y2mYcZCxwbUlIVeq54RjPbBE7+5j7z/x8+96uEphg7Nf5z+MLQI8jHlPDFY BPgScOrdThj7N1u0MgewyCca33kQ25eywTy9zUxKmSHmI069jAdxQQZV8u59vY8u hx8tRSdvOb29WZQdFLJnI6DoYU9EeJYPT1zOODLALN0hHwIQdSIOnQMGkwNxsztW 7u3rPBke9/wKTljfjxW9Kw/rjbb1BDSLYCs0UDzQb7C3p36mWkkFmWSeDaVOuFfH cNJEuD0kyU/Clib4V7/8yn0FjD93mNdG/YnPm4ko2PdY7wi3XM3EDLHK4Y+009F6 oV9t6Vi6sWlcQUj4NUI+X2X3CP8pQ97I+TfBPx7WDF5gNzwupRfvV4UOSlk1G7TB cl/zFS36EFr22uNuixPXsGSn/vBTgIcOf8QsFX5HtZBAVZwIOLV9XwEYEt4lKhC6 U/0pA4MmDDQ91gA49cPCqo8SxvFBY/n7uHjZOsqOCOazj7qW/Z9aX3+WM6dXdJlQ +wYzOh0ckwc4pZ6WGjArg/+QSjSpG6922kbXjWSRfuWtV5cEqV9JL9pRD30rVyBF rhu/Up4KzrEsh+JgSLupFs2svt+/lbNMNkBlPpV5HsJXwCM9d5k= =n0dI -----END PGP SIGNATURE----- --tbqw4vnogsux722s--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xeiec7rsjjd4sztlxztka4f5uopea3sqpm6jb6jalrxsraogrm>