Date: Sun, 7 Apr 2024 20:42:59 +0000 (UTC) From: Alexander Burke <alex-freebsd-security@alexburke.ca> To: =?UTF-8?Q?C=C3=A9dric_Weis?= <hawei@free.fr> Cc: freebsd-security@freebsd.org Subject: Re: Disclosed backdoor in xz releases - FreeBSD not affected Message-ID: <281a2f41-7bbf-4e20-bb4a-630d839e9708@alexburke.ca>
next in thread | raw e-mail | index | archive | help
Bonjour C=C3=A9dric, We can't; you must do it yourself by sending an email (even a blank one) to= : freebsd-security+unsubscribe@freebsd.org ---------------------------------------- 2024-04-07T11:57:04Z C=C3=A9dric Weis <hawei@free.fr>: > Unsubscribe me please. I don't know how to to it by myself. >=20 > =EF=BB=BFLe 07/04/2024 11:35, =C2=AB Chen, Alvin W =C2=BB <owner-freebsd-= security@freebsdorg <mailto:owner-freebsd-security@freebsd.org> au nom de W= eike.Chen@Dell.com <mailto:Weike.Chen@Dell.com>> a =C3=A9crit : >=20 >=20 >>>> All supported FreeBSD releases include versions of xz that predate the >> affected releases. >>>>=20 >>>> The main, stable/14, and stable/13 branches do include the affected ve= rsion >> (5.6.0), but the backdoor components were excluded from the vendor impor= t. >> Additionally, FreeBSD does not use the upstream's build tooling, which w= as a >> required part of the attack. Lastly, the attack specifically targeted x8= 6_64 Linux >> systems using glibc. >>>=20 >>> Hey Gordon, >>>=20 >>> Is there potential for Linux jails on FreeBSD systems (ie, deployments >>> making use of the Linxulator) to be impacted? Assuming amd64 here, >>> too. >>=20 >> Hard to say for certain, but I suspect the answer is yes. If the jail ha= s the >> vulnerable software installed, there is a decent chance it would be affe= cted. At >> that point, I would refer to the vulnerability statement published by th= e Linux >> distro the jail is based on. I don=E2=80=99t believe the vulnerability h= as any kernel >> dependencies that FreeBSD would provide protection. >>=20 >> Certainly, in the world of being conservatively cautious, I would immedi= ately >> address any such Linux jails. >>=20 >> Gordon > My understanding is: the 'xz' built from FreeBSD is not impacted, but the= 'xz' built from Linux and run based on FreeBSD Linux ABI could be impacted= . > Please correct my if I am wrong. >=20 >=20 > Internal Use - Confidential
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?281a2f41-7bbf-4e20-bb4a-630d839e9708>