1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.FREEBSD.MIS

  • xz backdoor

    From Winston@21:1/5 to All on Mon Apr 1 17:09:04 2024
    Saw a YouTube video about a backdoor that had been snuck into xz
    that affects openssh and sshd. The vulnerability was rated
    10.0 of 10.0 and the Linux distros were racing to fix it.
    If I remember the video correcty, the malware only got in as of
    5.6.*, and older versions are not at risk. "xz --version" says
    5.4.4, so it looks like FreeBSD is safe, but maybe a newer
    version of FreeBSD (13.3 or the upcoming 14.1) might need to
    avoid it?

    Just passing on the word. This was the video:
    https://www.youtube.com/watch?v=OHAyf0qwdCs
    -WBE

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Christian Weisgerber@21:1/5 to Winston on Mon Apr 1 21:27:00 2024
    On 2024-04-01, Winston <wbe@UBEBLOCK.psr.com.invalid> wrote:

    Saw a YouTube video about a backdoor that had been snuck into xz
    that affects openssh and sshd. The vulnerability was rated
    10.0 of 10.0 and the Linux distros were racing to fix it.

    It doesn't concern FreeBSD for various reasons. Here's the official
    statement:

    ------------------->
    From: Gordon Tetlow <gordon_at_tetlows.org>
    Date: Fri, 29 Mar 2024 17:02:14 UTC

    FreeBSD is not affected by the recently announced backdoor included in
    the 5.6.0 and 5.6.1 xz releases.

    All supported FreeBSD releases include versions of xz that predate the
    affected releases.

    The main, stable/14, and stable/13 branches do include the affected
    version (5.6.0), but the backdoor components were excluded from the
    vendor import. Additionally, FreeBSD does not use the upstream's build
    tooling, which was a required part of the attack. Lastly, the attack specifically targeted x86_64 Linux systems using glibc.

    The FreeBSD ports collection does not include xz/liblzma.

    Reference:
    https://www.openwall.com/lists/oss-security/2024/03/29/4

    Best regards,
    Gordon Tetlow
    Hat: security-officer
    <-------------------

    https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html

    --
    Christian "naddy" Weisgerber naddy@mips.inka.de

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Aelius Gallus@21:1/5 to Christian Weisgerber on Thu Apr 11 06:50:29 2024
    Christian Weisgerber <naddy@mips.inka.de> wrote:
    On 2024-04-01, Winston <wbe@UBEBLOCK.psr.com.invalid> wrote:

    Saw a YouTube video about a backdoor that had been snuck into xz
    that affects openssh and sshd. The vulnerability was rated
    10.0 of 10.0 and the Linux distros were racing to fix it.

    It doesn't concern FreeBSD for various reasons. Here's the official statement:

    ------------------->
    From: Gordon Tetlow <gordon_at_tetlows.org>
    Date: Fri, 29 Mar 2024 17:02:14 UTC

    FreeBSD is not affected by the recently announced backdoor included in
    the 5.6.0 and 5.6.1 xz releases.

    All supported FreeBSD releases include versions of xz that predate the affected releases.

    The main, stable/14, and stable/13 branches do include the affected
    version (5.6.0), but the backdoor components were excluded from the
    vendor import. Additionally, FreeBSD does not use the upstream's build tooling, which was a required part of the attack. Lastly, the attack specifically targeted x86_64 Linux systems using glibc.

    The FreeBSD ports collection does not include xz/liblzma.

    Reference:
    https://www.openwall.com/lists/oss-security/2024/03/29/4

    Best regards,
    Gordon Tetlow
    Hat: security-officer
    <-------------------

    https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html

    Thank you for the explanation, although the technical part was above my head.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)