> On Mar 29, 2024, at 11:15 AM, Shawn Webb <shawn.w...@hardenedbsd.org> wrote: > > On Fri, Mar 29, 2024 at 10:02:14AM -0700, Gordon Tetlow wrote: >> FreeBSD is not affected by the recently announced backdoor included in the >> 5.6.0 and 5.6.1 xz releases. >> >> All supported FreeBSD releases include versions of xz that predate the >> affected releases. >> >> The main, stable/14, and stable/13 branches do include the affected version >> (5.6.0), but the backdoor components were excluded from the vendor import. >> Additionally, FreeBSD does not use the upstream's build tooling, which was a >> required part of the attack. Lastly, the attack specifically targeted x86_64 >> Linux systems using glibc. > > Hey Gordon, > > Is there potential for Linux jails on FreeBSD systems (ie, deployments > making use of the Linxulator) to be impacted? Assuming amd64 here, > too.
Hard to say for certain, but I suspect the answer is yes. If the jail has the vulnerable software installed, there is a decent chance it would be affected. At that point, I would refer to the vulnerability statement published by the Linux distro the jail is based on. I don’t believe the vulnerability has any kernel dependencies that FreeBSD would provide protection. Certainly, in the world of being conservatively cautious, I would immediately address any such Linux jails. Gordon
signature.asc
Description: Message signed with OpenPGP
