Re: xz backdoor

Liste des GroupesRevenir à cubf misc 
Sujet : Re: xz backdoor
De : alexias (at) *nospam* nospam.mail (Aelius Gallus)
Groupes : comp.unix.bsd.freebsd.misc
Date : 11. Apr 2024, 08:50:29
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <uv817l$1i5p6$1@dont-email.me>
References : 1 2
User-Agent : tin/2.6.2-20221225 ("Pittyvaich") (FreeBSD/14.0-RELEASE (amd64))
Christian Weisgerber <naddy@mips.inka.de> wrote:
On 2024-04-01, Winston <wbe@UBEBLOCK.psr.com.invalid> wrote:
 
Saw a YouTube video about a backdoor that had been snuck into xz
that affects openssh and sshd.  The vulnerability was rated
10.0 of 10.0 and the Linux distros were racing to fix it.
 
It doesn't concern FreeBSD for various reasons.  Here's the official
statement:
 
------------------->
From: Gordon Tetlow <gordon_at_tetlows.org>
Date: Fri, 29 Mar 2024 17:02:14 UTC
 
FreeBSD is not affected by the recently announced backdoor included in
the 5.6.0 and 5.6.1 xz releases.
 
All supported FreeBSD releases include versions of xz that predate the
affected releases.
 
The main, stable/14, and stable/13 branches do include the affected
version (5.6.0), but the backdoor components were excluded from the
vendor import. Additionally, FreeBSD does not use the upstream's build
tooling, which was a required part of the attack. Lastly, the attack
specifically targeted x86_64 Linux systems using glibc.
 
The FreeBSD ports collection does not include xz/liblzma.
 
Reference:
https://www.openwall.com/lists/oss-security/2024/03/29/4
 
Best regards,
Gordon Tetlow
Hat: security-officer
<-------------------
 
https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
 
Thank you for the explanation, although the technical part was above my head.



Date Sujet#  Auteur
1 Apr 24 * xz backdoor3Winston
1 Apr 24 `* Re: xz backdoor2Christian Weisgerber
11 Apr 24  `- Re: xz backdoor1Aelius Gallus

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal