Re: xz security issue ? (CVE-2024-3094)
- In reply to: mike tancsa : "xz security issue ? (CVE-2024-3094)"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 29 Mar 2024 18:31:26 UTC
Oh, I didnt see the earlier email for some reason. Thanks Gordon for the email clarification! ---Mike On 3/29/2024 2:22 PM, mike tancsa wrote: > From the redhat advisory, > > What is the malicious code? > The malicious injection present in the xz versions 5.6.0 and 5.6.1 > libraries is obfuscated and only included in full in the download > package - the Git distribution lacks the M4 macro that triggers the > build of the malicious code. The second-stage artifacts are present in > the Git repository for the injection during the build time, in case > the malicious M4 macro is present. > > The resulting malicious build interferes with authentication in sshd > via systemd. SSH is a commonly used protocol for connecting remotely > to systems, and sshd is the service that allows access. Under the > right circumstances this interference could potentially enable a > malicious actor to break sshd authentication and gain unauthorized > access to the entire system remotely. > > Is there any exposure to this on FreeBSD ? > > ---Mike > >