Good to know, thank you! I do think in this case it may be worth going to an older version because the maintainer was actively malicious. Even if *this* vulnerability looks safe. Just feels like playing with fire at the moment.
Also, it sounds like libarchive had a suspicious commit by the author as well. Good synopsis: https://boehs.org/node/everything-i-know-about-the-xz-backdoor I should probably join freebsd-security while I'm at it... -Henrich Mar 30, 2024, 01:22 by [email protected]: > On Sat, 30 Mar 2024 02:15:53 +0100 (CET) > [email protected] wrote: > >> Hi everyone, >> >> I recently read through this: >> https://www.openwall.com/lists/oss-security/2024/03/29/4 >> >> It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is or >> not, but it looks like 14-stable and main have xz 5.6.0. In my opinion, >> earlier versions may also be suspect given that this may have been a >> deliberate backdoor from a maintainer. >> >> I propose that we go back to a "known safe" version. It would probably be >> unwise to push 14.1 as-is, as well. >> >> The Github repository has currently been locked out. >> >> Hoping that someone more aware of what's going on can offer more insight. >> >> Thanks! >> >> -Henrich >> > > At least base is not affected. See [1] and [2]. > > [1] > https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html > > [2] > https://forums.freebsd.org/threads/backdoor-in-upstream-xz-liblzma-leading-to-ssh-server-compromise.92922/ > > > -- > Tomoaki AOKI <[email protected]> >
