Hi all,
On Fri, Mar 29, 2024 at 21:15, <[email protected]> wrote:
>
> I recently read through this:
> https://www.openwall.com/lists/oss-security/2024/03/29/4
>
> It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is or
> not, but it looks like 14-stable and main have xz 5.6.0. In my opinion,
> earlier versions may also be suspect given that this may have been a
> deliberate backdoor from a maintainer.
>
> I propose that we go back to a "known safe" version. It would probably be
> unwise to push 14.1 as-is, as well.
>
> [...]
1. The point of this backdoor is - to my knowledge - to get a rogue login
via SSH.
2. The mechanism relies on the compromised liblzma being linked with sshd.
3. Which is the case for some Linux distributions because they pull in
some extra
functions for better systemd integration which then pulls in liblzma as
a dependency.
4. FreeBSD is - to my knowledge - not susceptible to this attack because
our sshd
is not linked to the compromised library at all.
5. Even if you installed a supposedly compromised xz from ports, there are
probably
no ill consequences.
Kind regards,
Patrick
