Date: Sat, 30 Mar 2024 22:31:00 +0000 From: "Patrick M. Hausen" <hausen@punkt.de> To: Freebsd Stable <freebsd-stable@freebsd.org> Cc: "henrichhartzer@tuta.io" <henrichhartzer@tuta.io>, Jonathan Vasquez <jon@xyinn.org> Subject: Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well Message-ID: <02919DCB-5778-47C3-8754-249F76596928@punkt.de> In-Reply-To: <WSRHEPLzq0oUN8lQ4GAgVaWmeVkSD2UpN7y96L-am-aQs3R3bjp7PbWvB9A9cE8f3EKrZOlShQ_TC66G-yzWk9FI0PXdkVOHIHofJ9sw6jA=@xyinn.org> References: <NuBvLSh--3-9@tuta.io> <WSRHEPLzq0oUN8lQ4GAgVaWmeVkSD2UpN7y96L-am-aQs3R3bjp7PbWvB9A9cE8f3EKrZOlShQ_TC66G-yzWk9FI0PXdkVOHIHofJ9sw6jA=@xyinn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi all, On Fri, Mar 29, 2024 at 21:15, <henrichhartzer@tuta.io> wrote: >=20 > I recently read through this: https://www.openwall.com/lists/oss-security= /2024/03/29/4 >=20 > It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is = or not, but it looks like 14-stable and main have xz 5.6.0. In my opinion, = earlier versions may also be suspect given that this may have been a delibe= rate backdoor from a maintainer. >=20 > I propose that we go back to a "known safe" version. It would probably be= unwise to push 14.1 as-is, as well. >=20 > [...] 1. The point of this backdoor is - to my knowledge - to get a rogue login v= ia SSH. 2. The mechanism relies on the compromised liblzma being linked with sshd. 3. Which is the case for some Linux distributions because they pull in some= extra functions for better systemd integration which then pulls in liblzma as a = dependency. 4. FreeBSD is - to my knowledge - not susceptible to this attack because o= ur sshd is not linked to the compromised library at all. 5. Even if you installed a supposedly compromised xz from ports, there are = probably no ill consequences. Kind regards, Patrick=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?02919DCB-5778-47C3-8754-249F76596928>