Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well
- In reply to: Patrick M. Hausen: "Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 01 Apr 2024 11:04:27 UTC
"Patrick M. Hausen" <hausen@punkt.de> writes: > 4. FreeBSD is - to my knowledge - not susceptible to this attack because our sshd > is not linked to the compromised library at all. That's not sufficient. The attack payload is a binary blob and has not been fully analyzed; it could have other effects which haven't yet been discovered. However, FreeBSD is not vulnerable because the version of xz included in FreeBSD includes neither the attack payload nor the trojaned build script which injects the payload into the library. > 5. Even if you installed a supposedly compromised xz from ports, there are probably > no ill consequences. We don't have an xz or liblzma port. DES -- Dag-Erling Smørgrav - des@FreeBSD.org