Backdoor in xz 5.6.0

Reply: Shawn Webb : "Re: Backdoor in xz 5.6.0"
Reply: FreeBSD : "Re: Backdoor in xz 5.6.0"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Alan Somers <asomers_at_freebsd.org>
Date: Fri, 29 Mar 2024 23:47:51 UTC

A malicious developer added a backdoor to xz 5.6.0 and 5.6.1, and
snuck it into Fedora builds.  That's the same version that FreeBSD
CURRENT uses.  For multiple reasons we aren't vulnerable (the
malicious code isn't included in xz's git repo, only its dist
tarballs, the malicious code is only triggered on x86_64 linux in an
rpm or deb build, and the malicious code resides in a .m4 file which
our build process doesn't use).  But upstream considers all of 5.6.0
to be untrustworthy and recommends that everyone to 5.4.5.

summary: https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
details: https://www.openwall.com/lists/oss-security/2024/03/29/4