Date: Sun, 7 Apr 2024 20:42:59 +0000 (UTC) From: Alexander Burke <alex-freebsd-security@alexburke.ca> To: =?UTF-8?Q?C=C3=A9dric_Weis?= <hawei@free.fr> Cc: freebsd-security@freebsd.org Subject: Re: Disclosed backdoor in xz releases - FreeBSD not affected Message-ID: <281a2f41-7bbf-4e20-bb4a-630d839e9708@alexburke.ca>
index | next in thread | raw e-mail
Bonjour Cédric, We can't; you must do it yourself by sending an email (even a blank one) to: freebsd-security+unsubscribe@freebsd.org ---------------------------------------- 2024-04-07T11:57:04Z Cédric Weis <hawei@free.fr>: > Unsubscribe me please. I don't know how to to it by myself. > > Le 07/04/2024 11:35, « Chen, Alvin W » <owner-freebsd-security@freebsdorg <mailto:owner-freebsd-security@freebsd.org> au nom de Weike.Chen@Dell.com <mailto:Weike.Chen@Dell.com>> a écrit : > > >>>> All supported FreeBSD releases include versions of xz that predate the >> affected releases. >>>> >>>> The main, stable/14, and stable/13 branches do include the affected version >> (5.6.0), but the backdoor components were excluded from the vendor import. >> Additionally, FreeBSD does not use the upstream's build tooling, which was a >> required part of the attack. Lastly, the attack specifically targeted x86_64 Linux >> systems using glibc. >>> >>> Hey Gordon, >>> >>> Is there potential for Linux jails on FreeBSD systems (ie, deployments >>> making use of the Linxulator) to be impacted? Assuming amd64 here, >>> too. >> >> Hard to say for certain, but I suspect the answer is yes. If the jail has the >> vulnerable software installed, there is a decent chance it would be affected. At >> that point, I would refer to the vulnerability statement published by the Linux >> distro the jail is based on. I don’t believe the vulnerability has any kernel >> dependencies that FreeBSD would provide protection. >> >> Certainly, in the world of being conservatively cautious, I would immediately >> address any such Linux jails. >> >> Gordon > My understanding is: the 'xz' built from FreeBSD is not impacted, but the 'xz' built from Linux and run based on FreeBSD Linux ABI could be impacted. > Please correct my if I am wrong. > > > Internal Use - Confidentialhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?281a2f41-7bbf-4e20-bb4a-630d839e9708>