> >> All supported FreeBSD releases include versions of xz that predate the > affected releases. > >> > >> The main, stable/14, and stable/13 branches do include the affected version > (5.6.0), but the backdoor components were excluded from the vendor import. > Additionally, FreeBSD does not use the upstream's build tooling, which was a > required part of the attack. Lastly, the attack specifically targeted x86_64 > Linux > systems using glibc. > > > > Hey Gordon, > > > > Is there potential for Linux jails on FreeBSD systems (ie, deployments > > making use of the Linxulator) to be impacted? Assuming amd64 here, > > too. > > Hard to say for certain, but I suspect the answer is yes. If the jail has the > vulnerable software installed, there is a decent chance it would be affected. > At > that point, I would refer to the vulnerability statement published by the > Linux > distro the jail is based on. I don’t believe the vulnerability has any kernel > dependencies that FreeBSD would provide protection. > > Certainly, in the world of being conservatively cautious, I would immediately > address any such Linux jails. > > Gordon My understanding is: the 'xz' built from FreeBSD is not impacted, but the 'xz' built from Linux and run based on FreeBSD Linux ABI could be impacted. Please correct my if I am wrong.
Internal Use - Confidential
