Re: Disclosed backdoor in xz releases - FreeBSD not affected
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 07 Apr 2024 20:42:59 UTC
Bonjour Cédric, We can't; you must do it yourself by sending an email (even a blank one) to: freebsd-security+unsubscribe@freebsd.org ---------------------------------------- 2024-04-07T11:57:04Z Cédric Weis <hawei@free.fr>: > Unsubscribe me please. I don't know how to to it by myself. > > Le 07/04/2024 11:35, « Chen, Alvin W » <owner-freebsd-security@freebsdorg <mailto:owner-freebsd-security@freebsd.org> au nom de Weike.Chen@Dell.com <mailto:Weike.Chen@Dell.com>> a écrit : > > >>>> All supported FreeBSD releases include versions of xz that predate the >> affected releases. >>>> >>>> The main, stable/14, and stable/13 branches do include the affected version >> (5.6.0), but the backdoor components were excluded from the vendor import. >> Additionally, FreeBSD does not use the upstream's build tooling, which was a >> required part of the attack. Lastly, the attack specifically targeted x86_64 Linux >> systems using glibc. >>> >>> Hey Gordon, >>> >>> Is there potential for Linux jails on FreeBSD systems (ie, deployments >>> making use of the Linxulator) to be impacted? Assuming amd64 here, >>> too. >> >> Hard to say for certain, but I suspect the answer is yes. If the jail has the >> vulnerable software installed, there is a decent chance it would be affected. At >> that point, I would refer to the vulnerability statement published by the Linux >> distro the jail is based on. I don’t believe the vulnerability has any kernel >> dependencies that FreeBSD would provide protection. >> >> Certainly, in the world of being conservatively cautious, I would immediately >> address any such Linux jails. >> >> Gordon > My understanding is: the 'xz' built from FreeBSD is not impacted, but the 'xz' built from Linux and run based on FreeBSD Linux ABI could be impacted. > Please correct my if I am wrong. > > > Internal Use - Confidential