Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well

Reply: henrichhartzer_a_tuta.io: "Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well"
In reply to: henrichhartzer_a_tuta.io: "xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Tomoaki AOKI <junchoon_at_dec.sakura.ne.jp>
Date: Sat, 30 Mar 2024 01:22:05 UTC

On Sat, 30 Mar 2024 02:15:53 +0100 (CET)
henrichhartzer@tuta.io wrote:

> Hi everyone,
> 
> I recently read through this: https://www.openwall.com/lists/oss-security/2024/03/29/4
> 
> It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is or not, but it looks like 14-stable and main have xz 5.6.0. In my opinion, earlier versions may also be suspect given that this may have been a deliberate backdoor from a maintainer.
> 
> I propose that we go back to a "known safe" version. It would probably be unwise to push 14.1 as-is, as well.
> 
> The Github repository has currently been locked out.
> 
> Hoping that someone more aware of what's going on can offer more insight.
> 
> Thanks!
> 
> -Henrich

At least base is not affected. See [1] and [2].

[1]
https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html

[2]
https://forums.freebsd.org/threads/backdoor-in-upstream-xz-liblzma-leading-to-ssh-server-compromise.92922/


-- 
Tomoaki AOKI    <junchoon@dec.sakura.ne.jp>