Date: Fri, 29 Mar 2024 11:43:48 -0700 From: Gordon Tetlow <gordon@tetlows.org> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: freebsd-security@freebsd.org Subject: Re: Disclosed backdoor in xz releases - FreeBSD not affected Message-ID: <E00E547B-D7B9-4A6D-B439-EA95EA1FCE16@tetlows.org> In-Reply-To: <xeiec7rsjjd4sztlxztka4f5uopea3sqpm6jb6jalrxsraogrm@zpnprx5pg72c> References: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org> <xeiec7rsjjd4sztlxztka4f5uopea3sqpm6jb6jalrxsraogrm@zpnprx5pg72c>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] > On Mar 29, 2024, at 11:15 AM, Shawn Webb <shawn.webb@hardenedbsd.org> wrote: > > On Fri, Mar 29, 2024 at 10:02:14AM -0700, Gordon Tetlow wrote: >> FreeBSD is not affected by the recently announced backdoor included in the 5.6.0 and 5.6.1 xz releases. >> >> All supported FreeBSD releases include versions of xz that predate the affected releases. >> >> The main, stable/14, and stable/13 branches do include the affected version (5.6.0), but the backdoor components were excluded from the vendor import. Additionally, FreeBSD does not use the upstream's build tooling, which was a required part of the attack. Lastly, the attack specifically targeted x86_64 Linux systems using glibc. > > Hey Gordon, > > Is there potential for Linux jails on FreeBSD systems (ie, deployments > making use of the Linxulator) to be impacted? Assuming amd64 here, > too. Hard to say for certain, but I suspect the answer is yes. If the jail has the vulnerable software installed, there is a decent chance it would be affected. At that point, I would refer to the vulnerability statement published by the Linux distro the jail is based on. I don’t believe the vulnerability has any kernel dependencies that FreeBSD would provide protection. Certainly, in the world of being conservatively cautious, I would immediately address any such Linux jails. Gordon [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmYHC+QACgkQ5fe8y6O9 3fgcIAf+K4raQimnBh0/A9Dds+6eGVShohcAAyPUCFy0B1sSvbmz2S4X1LE6aSmf P+h1zsbxxqUwOeWbPdRLHFeqRyO6zK3Y72S5w0o/EuFvGbTi00hIOZcut1tIcfEc XhWWcUjQYJ0FWBtqwxO/Ukl1epqjOA2KqJplKJ/r9f8gFcOAK/A6EOXeEqud2Knm MNQcSEzZdbX+g8tM4HOENDgRVYbClPy73XK203rsLWDJtO75CtJ9FDWKfJG/TR0n Pd149zG92TEg23AVZLGas7ABGXbhdO/7tYg5qZ+iQkG6PgAiguJE+zswfu09QE4Q BQcsL/TcDzPv29tpNaAnMa1QoNFskg== =R74j -----END PGP SIGNATURE-----home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E00E547B-D7B9-4A6D-B439-EA95EA1FCE16>