Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1
Am Thu, 4 Apr 2024 01:14:52 -0500 Kyle Evans schrieb: > On 4/4/24 00:49, FreeBSD User wrote: > > Hello, > > > > I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1: > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094 > > > > FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited > > skills do not allow > > me to judge wether the described exploit mechanism also works on FreeBSD. > > RedHat already sent out a warning, the workaround is to move back towards > > an older variant. > > > > I have to report to my superiors (we're using 14-STABLE and CURRENT and I > > do so in > > private), so I would like to welcome any comment on that. > > > > Thanks in advance, > > > > O. Hartmann > > > > > > See so@'s answer from a couple days ago: > > https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html > > TL;DR no > > Thanks, > > Kyle Evans Thank you very much. Kind regards, oh -- O. Hartmann
Re: pkg-1.21.0: after upgrade 1.20.9_1 -> 1.21.0: pkg core dumps on specific ports
Am 06.04.24 um 09:05 schrieb FreeBSD User: Hello, after updating (portmaster and make) ports-mgmt/ports from 1.20.9_1 -> 1.21.0 on CURRENT and 14-STABLE, I can't update several ports: www/apache24 databases/redis pkg core dumps while performing installation. apache24 and redis are ports I realized this misbehaviour on ALL 14-STABLE and CURRENT boxes (both OS variants latest builds, i.e. FreeBSD 15.0-CURRENT #32 main-n269135-da2b732288c7: Fri Apr 5 20:30:39 CEST 2024 amd64). After some updates on a poudriere builder (CURRENT base host, 14.0-RELENG jail with poudriere) building packages for 14.0-RELENG, I observed the same behaviour when updating packages on target hosts where pkg is first updated, on those hosts, nextcloud-server and icinga2 host utilizing also databases/redis and www/apache24, pkg fails the same way. I do not dare to update our poudriere hosts since the problem seems to pop up when pkg 1.21.0 is installed, no matter whether I use poudriere built ports (from our own builder hosts) or recent source tree with portmaster/make build process. Looks like a serious bug to me and not a site/user specific problem. Hopefully others do realize the same ... Thanks in advance, oh Hmm, I just tried to reproduce that. Both ports mentioned, databases/redis and www/apache24, can be built and installed with Portmaster. The box is a 15.0-CURRENT with pkg-1.21.0. Maybe 'pkg check -Bn' or 'portmaster --check-depends --check-port-dbdir' show some inconsistencies? Best wishes, Rainer
pkg-1.21.0: after upgrade 1.20.9_1 -> 1.21.0: pkg core dumps on specific ports
Hello, after updating (portmaster and make) ports-mgmt/ports from 1.20.9_1 -> 1.21.0 on CURRENT and 14-STABLE, I can't update several ports: www/apache24 databases/redis pkg core dumps while performing installation. apache24 and redis are ports I realized this misbehaviour on ALL 14-STABLE and CURRENT boxes (both OS variants latest builds, i.e. FreeBSD 15.0-CURRENT #32 main-n269135-da2b732288c7: Fri Apr 5 20:30:39 CEST 2024 amd64). After some updates on a poudriere builder (CURRENT base host, 14.0-RELENG jail with poudriere) building packages for 14.0-RELENG, I observed the same behaviour when updating packages on target hosts where pkg is first updated, on those hosts, nextcloud-server and icinga2 host utilizing also databases/redis and www/apache24, pkg fails the same way. I do not dare to update our poudriere hosts since the problem seems to pop up when pkg 1.21.0 is installed, no matter whether I use poudriere built ports (from our own builder hosts) or recent source tree with portmaster/make build process. Looks like a serious bug to me and not a site/user specific problem. Hopefully others do realize the same ... Thanks in advance, oh -- O. Hartmann
