From nobody Sat Apr 06 07:23:49 2024 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VBRgW5z10z5G2NP; Sat, 6 Apr 2024 07:24:23 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Received: from smtp052.goneo.de (smtp5.goneo.de [IPv6:2001:1640:5::8:30]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4VBRgV3b2Jz40fH; Sat, 6 Apr 2024 07:24:22 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=walstatt-de.de header.s=DKIM001 header.b=baOgqfYx; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd@walstatt-de.de designates 2001:1640:5::8:30 as permitted sender) smtp.mailfrom=freebsd@walstatt-de.de Received: from hub1.goneo.de (hub1.goneo.de [85.220.129.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp5.goneo.de (Postfix) with ESMTPS id 6B38F2403CA; Sat, 6 Apr 2024 09:24:19 +0200 (CEST) Received: from hub1.goneo.de (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by hub1.goneo.de (Postfix) with ESMTPS id 82763240030; Sat, 6 Apr 2024 09:24:17 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=walstatt-de.de; s=DKIM001; t=1712388257; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XmoRyyCxmqbUHDleMS1G8qJdO+xQ5Z3+OcR5zp98Xzs=; b=baOgqfYxLyv7dqvrXjHtOIi+lWUq5SfcPxKWmpRRHwzDDlfpNMa+OGN34DgR5Mp2BuLAEO dMj5u7cJz7LMVVOPT6o4bKuKR7RkYQ2jqKEEwEQW8ENGFnOg5MPruhV3u5KvRDgLQ36nrQ OYOEIy0C5ZHHDL61vK7ZdPrbujzEPUkbB70GrHgRAn43oaYty0YeiRuwbg3uJVe6MY2LIv ihQBFAbZk6UqH9BC6wMMWa8LUBHqVGUZ5MLa/8sRNYhY5kWDXdxG8ZzjxJsKIDt0tUFTl1 TSsvc7BsdRzSxyJ1QHQOpIeP1PLii7sWQvwSTAy0wzjxxwfTBzevSOon4sJRSw== Received: from thor.intern.walstatt.dynvpn.de (dynamic-078-055-133-175.78.55.pool.telefonica.de [78.55.133.175]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by hub1.goneo.de (Postfix) with ESMTPSA id 4531A240124; Sat, 6 Apr 2024 09:24:17 +0200 (CEST) Date: Sat, 6 Apr 2024 09:23:49 +0200 From: FreeBSD User To: Kyle Evans Cc: FreeBSD CURRENT , freebsd-security@freebsd.org Subject: Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1 Message-ID: <20240406092416.046598fb@thor.intern.walstatt.dynvpn.de> In-Reply-To: References: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de> Organization: walstatt-de.de List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-UID: c693f9 X-Rspamd-UID: d82f0e X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.60 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.997]; R_SPF_ALLOW(-0.20)[+ip6:2001:1640:5::8:0/112]; R_DKIM_ALLOW(-0.20)[walstatt-de.de:s=DKIM001]; RCVD_IN_DNSWL_LOW(-0.10)[2001:1640:5::8:30:from]; MIME_GOOD(-0.10)[text/plain]; ASN(0.00)[asn:25394, ipnet:2001:1640::/32, country:DE]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; HAS_ORG_HEADER(0.00)[]; MISSING_XM_UA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_ALL(0.00)[]; DMARC_NA(0.00)[walstatt-de.de]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,freebsd-security@freebsd.org]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[walstatt-de.de:+] X-Rspamd-Queue-Id: 4VBRgV3b2Jz40fH Am Thu, 4 Apr 2024 01:14:52 -0500 Kyle Evans schrieb: > On 4/4/24 00:49, FreeBSD User wrote: > > Hello, > > > > I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1: > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094 > > > > FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow > > me to judge wether the described exploit mechanism also works on FreeBSD. > > RedHat already sent out a warning, the workaround is to move back towards an older variant. > > > > I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in > > private), so I would like to welcome any comment on that. > > > > Thanks in advance, > > > > O. Hartmann > > > > > > See so@'s answer from a couple days ago: > > https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html > > TL;DR no > > Thanks, > > Kyle Evans Thank you very much. Kind regards, oh -- O. Hartmann