Re: Disclosed backdoor in xz releases - FreeBSD not affected
Date: Fri, 29 Mar 2024 18:43:48 UTC
> On Mar 29, 2024, at 11:15 AM, Shawn Webb <shawn.webb@hardenedbsd.org> wrote: > > On Fri, Mar 29, 2024 at 10:02:14AM -0700, Gordon Tetlow wrote: >> FreeBSD is not affected by the recently announced backdoor included in the 5.6.0 and 5.6.1 xz releases. >> >> All supported FreeBSD releases include versions of xz that predate the affected releases. >> >> The main, stable/14, and stable/13 branches do include the affected version (5.6.0), but the backdoor components were excluded from the vendor import. Additionally, FreeBSD does not use the upstream's build tooling, which was a required part of the attack. Lastly, the attack specifically targeted x86_64 Linux systems using glibc. > > Hey Gordon, > > Is there potential for Linux jails on FreeBSD systems (ie, deployments > making use of the Linxulator) to be impacted? Assuming amd64 here, > too. Hard to say for certain, but I suspect the answer is yes. If the jail has the vulnerable software installed, there is a decent chance it would be affected. At that point, I would refer to the vulnerability statement published by the Linux distro the jail is based on. I don’t believe the vulnerability has any kernel dependencies that FreeBSD would provide protection. Certainly, in the world of being conservatively cautious, I would immediately address any such Linux jails. Gordon