Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1

Reply: FreeBSD User : "Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1"
In reply to: FreeBSD User : "CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kyle Evans <kevans_at_FreeBSD.org>
Date: Thu, 04 Apr 2024 06:14:52 UTC

On 4/4/24 00:49, FreeBSD User wrote:
> Hello,
> 
> I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1:
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
> 
> FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow me
> to judge wether the described exploit mechanism also works on FreeBSD.
> RedHat already sent out a warning, the workaround is to move back towards an older variant.
> 
> I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in private),
> so I would like to welcome any comment on that.
> 
> Thanks in advance,
> 
> O. Hartmann
> 
> 

See so@'s answer from a couple days ago:

https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html

TL;DR no

Thanks,

Kyle Evans