Date: Sat, 30 Mar 2024 02:15:53 +0100 (CET) From: henrichhartzer@tuta.io To: Freebsd Stable <freebsd-stable@freebsd.org> Subject: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well Message-ID: <NuBvLSh--3-9@tuta.io>
next in thread | raw e-mail | index | archive | help
Hi everyone, I recently read through this: https://www.openwall.com/lists/oss-security/2024/03/29/4 It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is or not, but it looks like 14-stable and main have xz 5.6.0. In my opinion, earlier versions may also be suspect given that this may have been a deliberate backdoor from a maintainer. I propose that we go back to a "known safe" version. It would probably be unwise to push 14.1 as-is, as well. The Github repository has currently been locked out. Hoping that someone more aware of what's going on can offer more insight. Thanks! -Henrich
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NuBvLSh--3-9>