Oh, I didnt see the earlier email for some reason. Thanks Gordon for the
email clarification!
---Mike
On 3/29/2024 2:22 PM, mike tancsa wrote:
From the redhat advisory,
What is the malicious code?
The malicious injection present in the xz versions 5.6.0 and 5.6.1
libraries is obfuscated and only included in full in the download
package - the Git distribution lacks the M4 macro that triggers the
build of the malicious code. The second-stage artifacts are present in
the Git repository for the injection during the build time, in case
the malicious M4 macro is present.
The resulting malicious build interferes with authentication in sshd
via systemd. SSH is a commonly used protocol for connecting remotely
to systems, and sshd is the service that allows access. Under the
right circumstances this interference could potentially enable a
malicious actor to break sshd authentication and gain unauthorized
access to the entire system remotely.
Is there any exposure to this on FreeBSD ?
---Mike
