On Sat, 30 Mar 2024 02:15:53 +0100 (CET) [email protected] wrote: > Hi everyone, > > I recently read through this: > https://www.openwall.com/lists/oss-security/2024/03/29/4 > > It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is or > not, but it looks like 14-stable and main have xz 5.6.0. In my opinion, > earlier versions may also be suspect given that this may have been a > deliberate backdoor from a maintainer. > > I propose that we go back to a "known safe" version. It would probably be > unwise to push 14.1 as-is, as well. > > The Github repository has currently been locked out. > > Hoping that someone more aware of what's going on can offer more insight. > > Thanks! > > -Henrich
At least base is not affected. See [1] and [2]. [1] https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html [2] https://forums.freebsd.org/threads/backdoor-in-upstream-xz-liblzma-leading-to-ssh-server-compromise.92922/ -- Tomoaki AOKI <[email protected]>
