Deutsch English Français Italiano |
<uv817l$1i5p6$1@dont-email.me> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!weretis.net!feeder8.news.weretis.net!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Aelius Gallus <alexias@nospam.mail> Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: xz backdoor Date: Thu, 11 Apr 2024 06:50:29 -0000 (UTC) Organization: A noiseless patient Spider Lines: 41 Message-ID: <uv817l$1i5p6$1@dont-email.me> References: <yd7chghjtb.fsf@UBEblock.psr.com> <slrnv0m9l4.4hj.naddy@lorvorc.mips.inka.de> Injection-Date: Thu, 11 Apr 2024 08:50:29 +0200 (CEST) Injection-Info: dont-email.me; posting-host="0a02bd82c2422f8cb2f87a0c42e85f20"; logging-data="1644326"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18SoGkrM8yX5b+fUqziVtO/" User-Agent: tin/2.6.2-20221225 ("Pittyvaich") (FreeBSD/14.0-RELEASE (amd64)) Cancel-Lock: sha1:z4gBXIAFVUSwHtWeyV4yzp0o1E0= Bytes: 2406 Christian Weisgerber <naddy@mips.inka.de> wrote: > On 2024-04-01, Winston <wbe@UBEBLOCK.psr.com.invalid> wrote: > >> Saw a YouTube video about a backdoor that had been snuck into xz >> that affects openssh and sshd. The vulnerability was rated >> 10.0 of 10.0 and the Linux distros were racing to fix it. > > It doesn't concern FreeBSD for various reasons. Here's the official > statement: > > -------------------> > From: Gordon Tetlow <gordon_at_tetlows.org> > Date: Fri, 29 Mar 2024 17:02:14 UTC > > FreeBSD is not affected by the recently announced backdoor included in > the 5.6.0 and 5.6.1 xz releases. > > All supported FreeBSD releases include versions of xz that predate the > affected releases. > > The main, stable/14, and stable/13 branches do include the affected > version (5.6.0), but the backdoor components were excluded from the > vendor import. Additionally, FreeBSD does not use the upstream's build > tooling, which was a required part of the attack. Lastly, the attack > specifically targeted x86_64 Linux systems using glibc. > > The FreeBSD ports collection does not include xz/liblzma. > > Reference: > https://www.openwall.com/lists/oss-security/2024/03/29/4 > > Best regards, > Gordon Tetlow > Hat: security-officer > <------------------- > > https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html > Thank you for the explanation, although the technical part was above my head.