Re: Backdoor in xz 5.6.0

From: FreeBSD <freebsd_at_chroot.pl>
Date: Sat, 30 Mar 2024 18:43:36 UTC
Hi all,

regarding xz… have you seen this?
https://github.com/libarchive/libarchive/pull/1609

regards

On 3/30/24 00:47, Alan Somers wrote:
> A malicious developer added a backdoor to xz 5.6.0 and 5.6.1, and
> snuck it into Fedora builds.  That's the same version that FreeBSD
> CURRENT uses.  For multiple reasons we aren't vulnerable (the
> malicious code isn't included in xz's git repo, only its dist
> tarballs, the malicious code is only triggered on x86_64 linux in an
> rpm or deb build, and the malicious code resides in a .m4 file which
> our build process doesn't use).  But upstream considers all of 5.6.0
> to be untrustworthy and recommends that everyone to 5.4.5.
> 
> summary: https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
> details: https://www.openwall.com/lists/oss-security/2024/03/29/4
>