Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1
- In reply to: FreeBSD User : "CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 04 Apr 2024 06:56:28 UTC
On April 4, 2024 07:50:55 FreeBSD User <freebsd@walstatt-de.de> wrote: > Hello, > > I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094 > > FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited > skills do not allow me > to judge wether the described exploit mechanism also works on FreeBSD. > RedHat already sent out a warning, the workaround is to move back towards > an older variant. > > I have to report to my superiors (we're using 14-STABLE and CURRENT and I > do so in private), > so I would like to welcome any comment on that. > > Thanks in advance, > > O. Hartmann > > > -- > O. Hartmann As noted on freebsd-security last Friday: FreeBSD is not affected by the recently announced backdoor included in the 5.6.0 and 5.6.1 xz releases. All supported FreeBSD releases include versions of xz that predate the affected releases. The main, stable/14, and stable/13 branches do include the affected version (5.6.0), but the backdoor components were excluded from the vendor import. Additionally, FreeBSD does not use the upstream's build tooling, which was a required part of the attack. Lastly, the attack specifically targeted x86_64 Linux systems using glibc.