Date: Sat, 30 Mar 2024 10:22:05 +0900 From: Tomoaki AOKI <junchoon@dec.sakura.ne.jp> To: stable@freebsd.org Subject: Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well Message-ID: <20240330102205.6da8d3ca7cba362cb3d2ebe8@dec.sakura.ne.jp> In-Reply-To: <NuBvLSh--3-9@tuta.io> References: <NuBvLSh--3-9@tuta.io>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 30 Mar 2024 02:15:53 +0100 (CET) henrichhartzer@tuta.io wrote: > Hi everyone, > > I recently read through this: https://www.openwall.com/lists/oss-security/2024/03/29/4 > > It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is or not, but it looks like 14-stable and main have xz 5.6.0. In my opinion, earlier versions may also be suspect given that this may have been a deliberate backdoor from a maintainer. > > I propose that we go back to a "known safe" version. It would probably be unwise to push 14.1 as-is, as well. > > The Github repository has currently been locked out. > > Hoping that someone more aware of what's going on can offer more insight. > > Thanks! > > -Henrich At least base is not affected. See [1] and [2]. [1] https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html [2] https://forums.freebsd.org/threads/backdoor-in-upstream-xz-liblzma-leading-to-ssh-server-compromise.92922/ -- Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20240330102205.6da8d3ca7cba362cb3d2ebe8>