Date: Sat, 30 Mar 2024 19:43:36 +0100 From: FreeBSD <freebsd@chroot.pl> To: freebsd-security@freebsd.org Subject: Re: Backdoor in xz 5.6.0 Message-ID: <7d72e73d-6e7a-412e-b758-33507abfc3aa@chroot.pl> In-Reply-To: <CAOtMX2gVo6p%2BsrDJjjJRu3USDTCFrkZ0OY_TkYooUQqAP1qkjw@mail.gmail.com> References: <CAOtMX2gVo6p%2BsrDJjjJRu3USDTCFrkZ0OY_TkYooUQqAP1qkjw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi all, regarding xz… have you seen this? https://github.com/libarchive/libarchive/pull/1609 regards On 3/30/24 00:47, Alan Somers wrote: > A malicious developer added a backdoor to xz 5.6.0 and 5.6.1, and > snuck it into Fedora builds. That's the same version that FreeBSD > CURRENT uses. For multiple reasons we aren't vulnerable (the > malicious code isn't included in xz's git repo, only its dist > tarballs, the malicious code is only triggered on x86_64 linux in an > rpm or deb build, and the malicious code resides in a .m4 file which > our build process doesn't use). But upstream considers all of 5.6.0 > to be untrustworthy and recommends that everyone to 5.4.5. > > summary: https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ > details: https://www.openwall.com/lists/oss-security/2024/03/29/4 >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7d72e73d-6e7a-412e-b758-33507abfc3aa>