Re: Disclosed backdoor in xz releases - FreeBSD not affected
- In reply to: Chen, Alvin W: "RE: Disclosed backdoor in xz releases - FreeBSD not affected"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 07 Apr 2024 11:56:24 UTC
Unsubscribe me please. I don't know how to to it by myself. Le 07/04/2024 11:35, « Chen, Alvin W » <owner-freebsd-security@freebsd.org <mailto:owner-freebsd-security@freebsd.org> au nom de Weike.Chen@Dell.com <mailto:Weike.Chen@Dell.com>> a écrit : > >> All supported FreeBSD releases include versions of xz that predate the > affected releases. > >> > >> The main, stable/14, and stable/13 branches do include the affected version > (5.6.0), but the backdoor components were excluded from the vendor import. > Additionally, FreeBSD does not use the upstream's build tooling, which was a > required part of the attack. Lastly, the attack specifically targeted x86_64 Linux > systems using glibc. > > > > Hey Gordon, > > > > Is there potential for Linux jails on FreeBSD systems (ie, deployments > > making use of the Linxulator) to be impacted? Assuming amd64 here, > > too. > > Hard to say for certain, but I suspect the answer is yes. If the jail has the > vulnerable software installed, there is a decent chance it would be affected. At > that point, I would refer to the vulnerability statement published by the Linux > distro the jail is based on. I don’t believe the vulnerability has any kernel > dependencies that FreeBSD would provide protection. > > Certainly, in the world of being conservatively cautious, I would immediately > address any such Linux jails. > > Gordon My understanding is: the 'xz' built from FreeBSD is not impacted, but the 'xz' built from Linux and run based on FreeBSD Linux ABI could be impacted. Please correct my if I am wrong. Internal Use - Confidential