From nobody Fri Mar 29 17:02:14 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V5mtF6YnWz5DlJD for ; Fri, 29 Mar 2024 17:02:29 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mr85p00im-zteg06021501.me.com (mr85p00im-zteg06021501.me.com [17.58.23.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4V5mtD4WjTz4W1f for ; Fri, 29 Mar 2024 17:02:28 +0000 (UTC) (envelope-from gordon@tetlows.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tetlows.org header.s=sig1 header.b=VugeeS3F; dmarc=pass (policy=quarantine) header.from=tetlows.org; spf=pass (mx1.freebsd.org: domain of gordon@tetlows.org designates 17.58.23.183 as permitted sender) smtp.mailfrom=gordon@tetlows.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=sig1; t=1711731746; bh=xpv+R5NT2y62PBm76GYIaOB2fumC0qGEj5D57GbmGvU=; h=From:Content-Type:Mime-Version:Subject:Message-Id:Date:To; b=VugeeS3F1lY59xoaBupaaVw4h11GThpCMGaK42qsVP8LE3jpnL2L1nabmegSqDCxW 5adqlCKWJhsnn1BeVc+2bFmRJH+R0MtyfuyzvS5Cp3lC8cRBucZOTHSQLfsZtLa8+H dBwvXpmyxYsVxuuFlhzb9wAZzUz5ir/B+0nODpiINwpkFG+rIcgUn4aYc+pRnmJBrV 8/M5LMfBQDT0F32zrfVyOk791Y6C84Wnn+Nqoj1K3u45wJmlR7p8il5W9VMjHH7DSM IsTwTnLM046pXUc0X13PfJCHxE5m7K2hJybXYrTvzpVb4VOdKOvfk3or0elYZeoN0V s5QnjCfBZOUjw== Received: from smtpclient.apple (mr38p00im-dlb-asmtp-mailmevip.me.com [17.57.152.18]) by mr85p00im-zteg06021501.me.com (Postfix) with ESMTPSA id 00B7D2794528 for ; Fri, 29 Mar 2024 17:02:25 +0000 (UTC) From: Gordon Tetlow Content-Type: multipart/signed; boundary="Apple-Mail=_D510A1C2-04ED-405C-BD7F-1B69B0B800CB"; protocol="application/pgp-signature"; micalg=pgp-sha512 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\)) Subject: Disclosed backdoor in xz releases - FreeBSD not affected Message-Id: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org> Date: Fri, 29 Mar 2024 10:02:14 -0700 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.3774.400.31) X-Proofpoint-ORIG-GUID: eb5t0tjPjN5kOWqrKsM_EYyhZHa_Uxic X-Proofpoint-GUID: eb5t0tjPjN5kOWqrKsM_EYyhZHa_Uxic X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-29_13,2024-03-28_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 mlxscore=0 phishscore=0 malwarescore=0 spamscore=0 suspectscore=0 adultscore=0 mlxlogscore=752 clxscore=1030 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2403290151 X-Spamd-Bar: ------ X-Spamd-Result: default: False [-6.19 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.993]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; R_SPF_ALLOW(-0.20)[+ip4:17.58.0.0/16]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=sig1]; ONCE_RECEIVED(0.10)[]; RCVD_IN_DNSWL_LOW(-0.10)[17.58.23.183:from]; RWL_MAILSPIKE_GOOD(-0.10)[17.58.23.183:from]; DKIM_TRACE(0.00)[tetlows.org:+]; RCVD_TLS_ALL(0.00)[]; HAS_ATTACHMENT(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[gordon]; ARC_NA(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; APPLE_MAILER_COMMON(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:714, ipnet:17.58.16.0/20, country:US]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~] X-Rspamd-Queue-Id: 4V5mtD4WjTz4W1f --Apple-Mail=_D510A1C2-04ED-405C-BD7F-1B69B0B800CB Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii FreeBSD is not affected by the recently announced backdoor included in = the 5.6.0 and 5.6.1 xz releases. All supported FreeBSD releases include versions of xz that predate the = affected releases. The main, stable/14, and stable/13 branches do include the affected = version (5.6.0), but the backdoor components were excluded from the = vendor import. Additionally, FreeBSD does not use the upstream's build = tooling, which was a required part of the attack. Lastly, the attack = specifically targeted x86_64 Linux systems using glibc. The FreeBSD ports collection does not include xz/liblzma. Reference: https://www.openwall.com/lists/oss-security/2024/03/29/4 Best regards, Gordon Tetlow Hat: security-officer= --Apple-Mail=_D510A1C2-04ED-405C-BD7F-1B69B0B800CB Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmYG9BYACgkQ5fe8y6O9 3fiA6Qf/Y0LUoDzuUOc38MX4MkdulNP3BT1BXqbid7QgbetS/HswzsYumESiOtDh cO8kmSCw9tPuJZ2U0KjycxMRt9JbmxOShpZPFu/UW7HR1BbjkcZKijvVbprL/3QK FsUHO/4knFQnX2y/3XGtD87zZ4kvEBEn1claWcCoPsoSTgbBMjyUVKTqsW0hY5bn 05sx6K6TjMJwMyBr1NEKCyZLS2UWLobtdGFettW1vXObYI4Nr9ONHBg0VU4wMyO9 SEOjVcB2evCdmdxOuiOtPlwxiTBAOXPSU9M3a+w8qsdxW3mHxsFp3yb3qD7G2ZWA CCu/vxvUZvNAU0F+Ga2WKTBMTzV80A== =r6An -----END PGP SIGNATURE----- --Apple-Mail=_D510A1C2-04ED-405C-BD7F-1B69B0B800CB--