Re: Disclosed backdoor in xz releases - FreeBSD not affected

From: Shawn Webb <shawn.webb_at_hardenedbsd.org>
Date: Fri, 29 Mar 2024 18:15:55 UTC
On Fri, Mar 29, 2024 at 10:02:14AM -0700, Gordon Tetlow wrote:
> FreeBSD is not affected by the recently announced backdoor included in the 5.6.0 and 5.6.1 xz releases.
> 
> All supported FreeBSD releases include versions of xz that predate the affected releases.
> 
> The main, stable/14, and stable/13 branches do include the affected version (5.6.0), but the backdoor components were excluded from the vendor import. Additionally, FreeBSD does not use the upstream's build tooling, which was a required part of the attack. Lastly, the attack specifically targeted x86_64 Linux systems using glibc.

Hey Gordon,

Is there potential for Linux jails on FreeBSD systems (ie, deployments
making use of the Linxulator) to be impacted? Assuming amd64 here,
too.

Thanks,

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc