Backdoor in xz 5.6.0
- Reply: Shawn Webb : "Re: Backdoor in xz 5.6.0"
- Reply: FreeBSD : "Re: Backdoor in xz 5.6.0"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 29 Mar 2024 23:47:51 UTC
A malicious developer added a backdoor to xz 5.6.0 and 5.6.1, and snuck it into Fedora builds. That's the same version that FreeBSD CURRENT uses. For multiple reasons we aren't vulnerable (the malicious code isn't included in xz's git repo, only its dist tarballs, the malicious code is only triggered on x86_64 linux in an rpm or deb build, and the malicious code resides in a .m4 file which our build process doesn't use). But upstream considers all of 5.6.0 to be untrustworthy and recommends that everyone to 5.4.5. summary: https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ details: https://www.openwall.com/lists/oss-security/2024/03/29/4