Deutsch English Français Italiano |
<slrnv0m9l4.4hj.naddy@lorvorc.mips.inka.de> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!weretis.net!feeder6.news.weretis.net!feeder8.news.weretis.net!news.szaf.org!inka.de!mips.inka.de!.POSTED.localhost!not-for-mail From: Christian Weisgerber <naddy@mips.inka.de> Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: xz backdoor Date: Mon, 1 Apr 2024 21:27:00 -0000 (UTC) Message-ID: <slrnv0m9l4.4hj.naddy@lorvorc.mips.inka.de> References: <yd7chghjtb.fsf@UBEblock.psr.com> Injection-Date: Mon, 1 Apr 2024 21:27:00 -0000 (UTC) Injection-Info: lorvorc.mips.inka.de; posting-host="localhost:::1"; logging-data="4660"; mail-complaints-to="usenet@mips.inka.de" User-Agent: slrn/1.0.3 (FreeBSD) Bytes: 2024 Lines: 38 On 2024-04-01, Winston <wbe@UBEBLOCK.psr.com.invalid> wrote: > Saw a YouTube video about a backdoor that had been snuck into xz > that affects openssh and sshd. The vulnerability was rated > 10.0 of 10.0 and the Linux distros were racing to fix it. It doesn't concern FreeBSD for various reasons. Here's the official statement: -------------------> From: Gordon Tetlow <gordon_at_tetlows.org> Date: Fri, 29 Mar 2024 17:02:14 UTC FreeBSD is not affected by the recently announced backdoor included in the 5.6.0 and 5.6.1 xz releases. All supported FreeBSD releases include versions of xz that predate the affected releases. The main, stable/14, and stable/13 branches do include the affected version (5.6.0), but the backdoor components were excluded from the vendor import. Additionally, FreeBSD does not use the upstream's build tooling, which was a required part of the attack. Lastly, the attack specifically targeted x86_64 Linux systems using glibc. The FreeBSD ports collection does not include xz/liblzma. Reference: https://www.openwall.com/lists/oss-security/2024/03/29/4 Best regards, Gordon Tetlow Hat: security-officer <------------------- https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html -- Christian "naddy" Weisgerber naddy@mips.inka.de