Date: Fri, 29 Mar 2024 17:47:51 -0600 From: Alan Somers <asomers@freebsd.org> To: freebsd-security <freebsd-security@freebsd.org> Cc: Xin Li <delphij@freebsd.org> Subject: Backdoor in xz 5.6.0 Message-ID: <CAOtMX2gVo6p%2BsrDJjjJRu3USDTCFrkZ0OY_TkYooUQqAP1qkjw@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
A malicious developer added a backdoor to xz 5.6.0 and 5.6.1, and snuck it into Fedora builds. That's the same version that FreeBSD CURRENT uses. For multiple reasons we aren't vulnerable (the malicious code isn't included in xz's git repo, only its dist tarballs, the malicious code is only triggered on x86_64 linux in an rpm or deb build, and the malicious code resides in a .m4 file which our build process doesn't use). But upstream considers all of 5.6.0 to be untrustworthy and recommends that everyone to 5.4.5. summary: https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ details: https://www.openwall.com/lists/oss-security/2024/03/29/4
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2gVo6p%2BsrDJjjJRu3USDTCFrkZ0OY_TkYooUQqAP1qkjw>