Re: Disclosed backdoor in xz releases - FreeBSD not affected

From: Alexander Burke <alex-freebsd-security_at_alexburke.ca>
Date: Sun, 07 Apr 2024 20:42:59 UTC
Bonjour Cédric,

We can't; you must do it yourself by sending an email (even a blank one) to:

freebsd-security+unsubscribe@freebsd.org



----------------------------------------

2024-04-07T11:57:04Z Cédric Weis <hawei@free.fr>:

> Unsubscribe me please. I don't know how to to it by myself.
> 
> Le 07/04/2024 11:35, « Chen, Alvin W » <owner-freebsd-security@freebsdorg <mailto:owner-freebsd-security@freebsd.org> au nom de Weike.Chen@Dell.com <mailto:Weike.Chen@Dell.com>> a écrit :
> 
> 
>>>> All supported FreeBSD releases include versions of xz that predate the
>> affected releases.
>>>> 
>>>> The main, stable/14, and stable/13 branches do include the affected version
>> (5.6.0), but the backdoor components were excluded from the vendor import.
>> Additionally, FreeBSD does not use the upstream's build tooling, which was a
>> required part of the attack. Lastly, the attack specifically targeted x86_64 Linux
>> systems using glibc.
>>> 
>>> Hey Gordon,
>>> 
>>> Is there potential for Linux jails on FreeBSD systems (ie, deployments
>>> making use of the Linxulator) to be impacted? Assuming amd64 here,
>>> too.
>> 
>> Hard to say for certain, but I suspect the answer is yes. If the jail has the
>> vulnerable software installed, there is a decent chance it would be affected. At
>> that point, I would refer to the vulnerability statement published by the Linux
>> distro the jail is based on. I don’t believe the vulnerability has any kernel
>> dependencies that FreeBSD would provide protection.
>> 
>> Certainly, in the world of being conservatively cautious, I would immediately
>> address any such Linux jails.
>> 
>> Gordon
> My understanding is: the 'xz' built from FreeBSD is not impacted, but the 'xz' built from Linux and run based on FreeBSD Linux ABI could be impacted.
> Please correct my if I am wrong.
> 
> 
> Internal Use - Confidential