On April 4, 2024 07:50:55 FreeBSD User <free...@walstatt-de.de> wrote:
Hello,
I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited
skills do not allow me
to judge wether the described exploit mechanism also works on FreeBSD.
RedHat already sent out a warning, the workaround is to move back towards
an older variant.
I have to report to my superiors (we're using 14-STABLE and CURRENT and I
do so in private),
so I would like to welcome any comment on that.
Thanks in advance,
O. Hartmann
--
O. Hartmann
As noted on freebsd-security last Friday:
FreeBSD is not affected by the recently announced backdoor included in the
5.6.0 and 5.6.1 xz releases.
All supported FreeBSD releases include versions of xz that predate the
affected releases.
The main, stable/14, and stable/13 branches do include the affected version
(5.6.0), but the backdoor components were excluded from the vendor import.
Additionally, FreeBSD does not use the upstream's build tooling, which was
a required part of the attack. Lastly, the attack specifically targeted
x86_64 Linux systems using glibc.
