Article <uv817l$1i5p6$1@dont-email.me>

Warning: mysqli::__construct(): (HY000/1203): User howardkn already has more than 'max_user_connections' active connections in D:\Inetpub\vhosts\howardknight.net\al.howardknight.net\includes\artfuncs.php on line 21
Failed to connect to MySQL: (1203) User howardkn already has more than 'max_user_connections' active connections
Warning: mysqli::query(): Couldn't fetch mysqli in D:\Inetpub\vhosts\howardknight.net\al.howardknight.net\index.php on line 66
Article <uv817l$1i5p6$1@dont-email.me>

Deutsch English Français Italiano

<uv817l$1i5p6$1@dont-email.me>

View for Bookmarking (what is this?)
Look up another Usenet article

Path: ...!weretis.net!feeder8.news.weretis.net!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Aelius Gallus <alexias@nospam.mail>
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: xz backdoor
Date: Thu, 11 Apr 2024 06:50:29 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 41
Message-ID: <uv817l$1i5p6$1@dont-email.me>
References: <yd7chghjtb.fsf@UBEblock.psr.com> <slrnv0m9l4.4hj.naddy@lorvorc.mips.inka.de>
Injection-Date: Thu, 11 Apr 2024 08:50:29 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="0a02bd82c2422f8cb2f87a0c42e85f20";
	logging-data="1644326"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX18SoGkrM8yX5b+fUqziVtO/"
User-Agent: tin/2.6.2-20221225 ("Pittyvaich") (FreeBSD/14.0-RELEASE (amd64))
Cancel-Lock: sha1:z4gBXIAFVUSwHtWeyV4yzp0o1E0=
Bytes: 2406

Christian Weisgerber <naddy@mips.inka.de> wrote:
> On 2024-04-01, Winston <wbe@UBEBLOCK.psr.com.invalid> wrote:
> 
>> Saw a YouTube video about a backdoor that had been snuck into xz
>> that affects openssh and sshd.  The vulnerability was rated
>> 10.0 of 10.0 and the Linux distros were racing to fix it.
> 
> It doesn't concern FreeBSD for various reasons.  Here's the official
> statement:
> 
> ------------------->
> From: Gordon Tetlow <gordon_at_tetlows.org>
> Date: Fri, 29 Mar 2024 17:02:14 UTC
> 
> FreeBSD is not affected by the recently announced backdoor included in
> the 5.6.0 and 5.6.1 xz releases.
> 
> All supported FreeBSD releases include versions of xz that predate the
> affected releases.
> 
> The main, stable/14, and stable/13 branches do include the affected
> version (5.6.0), but the backdoor components were excluded from the
> vendor import. Additionally, FreeBSD does not use the upstream's build
> tooling, which was a required part of the attack. Lastly, the attack
> specifically targeted x86_64 Linux systems using glibc.
> 
> The FreeBSD ports collection does not include xz/liblzma.
> 
> Reference:
> https://www.openwall.com/lists/oss-security/2024/03/29/4
> 
> Best regards,
> Gordon Tetlow
> Hat: security-officer
> <-------------------
> 
> https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
> 
Thank you for the explanation, although the technical part was above my head.