From the redhat advisory,
What is the malicious code?
The malicious injection present in the xz versions 5.6.0 and 5.6.1
libraries is obfuscated and only included in full in the download
package - the Git distribution lacks the M4 macro that triggers the
build of the malicious code. The second-stage artifacts are present in
the Git repository for the injection during the build time, in case the
malicious M4 macro is present.
The resulting malicious build interferes with authentication in sshd via
systemd. SSH is a commonly used protocol for connecting remotely to
systems, and sshd is the service that allows access. Under the right
circumstances this interference could potentially enable a malicious
actor to break sshd authentication and gain unauthorized access to the
entire system remotely.
Is there any exposure to this on FreeBSD ?
---Mike
