Date: Fri, 29 Mar 2024 11:43:48 -0700 From: Gordon Tetlow <gordon@tetlows.org> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: freebsd-security@freebsd.org Subject: Re: Disclosed backdoor in xz releases - FreeBSD not affected Message-ID: <E00E547B-D7B9-4A6D-B439-EA95EA1FCE16@tetlows.org> In-Reply-To: <xeiec7rsjjd4sztlxztka4f5uopea3sqpm6jb6jalrxsraogrm@zpnprx5pg72c> References: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org> <xeiec7rsjjd4sztlxztka4f5uopea3sqpm6jb6jalrxsraogrm@zpnprx5pg72c>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_E21D4664-2E19-4986-B23D-7F434F4FB850 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Mar 29, 2024, at 11:15=E2=80=AFAM, Shawn Webb = <shawn.webb@hardenedbsd.org> wrote: >=20 > On Fri, Mar 29, 2024 at 10:02:14AM -0700, Gordon Tetlow wrote: >> FreeBSD is not affected by the recently announced backdoor included = in the 5.6.0 and 5.6.1 xz releases. >>=20 >> All supported FreeBSD releases include versions of xz that predate = the affected releases. >>=20 >> The main, stable/14, and stable/13 branches do include the affected = version (5.6.0), but the backdoor components were excluded from the = vendor import. Additionally, FreeBSD does not use the upstream's build = tooling, which was a required part of the attack. Lastly, the attack = specifically targeted x86_64 Linux systems using glibc. >=20 > Hey Gordon, >=20 > Is there potential for Linux jails on FreeBSD systems (ie, deployments > making use of the Linxulator) to be impacted? Assuming amd64 here, > too. Hard to say for certain, but I suspect the answer is yes. If the jail = has the vulnerable software installed, there is a decent chance it would = be affected. At that point, I would refer to the vulnerability statement = published by the Linux distro the jail is based on. I don=E2=80=99t = believe the vulnerability has any kernel dependencies that FreeBSD would = provide protection. Certainly, in the world of being conservatively cautious, I would = immediately address any such Linux jails. Gordon= --Apple-Mail=_E21D4664-2E19-4986-B23D-7F434F4FB850 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmYHC+QACgkQ5fe8y6O9 3fgcIAf+K4raQimnBh0/A9Dds+6eGVShohcAAyPUCFy0B1sSvbmz2S4X1LE6aSmf P+h1zsbxxqUwOeWbPdRLHFeqRyO6zK3Y72S5w0o/EuFvGbTi00hIOZcut1tIcfEc XhWWcUjQYJ0FWBtqwxO/Ukl1epqjOA2KqJplKJ/r9f8gFcOAK/A6EOXeEqud2Knm MNQcSEzZdbX+g8tM4HOENDgRVYbClPy73XK203rsLWDJtO75CtJ9FDWKfJG/TR0n Pd149zG92TEg23AVZLGas7ABGXbhdO/7tYg5qZ+iQkG6PgAiguJE+zswfu09QE4Q BQcsL/TcDzPv29tpNaAnMa1QoNFskg== =R74j -----END PGP SIGNATURE----- --Apple-Mail=_E21D4664-2E19-4986-B23D-7F434F4FB850--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E00E547B-D7B9-4A6D-B439-EA95EA1FCE16>