Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"I'm not a god, I was misquoted." -- Lister, Red Dwarf


devel / comp.unix.bsd.freebsd.misc / xz backdoor

SubjectAuthor
* xz backdoorWinston
`* Re: xz backdoorChristian Weisgerber
 `- Re: xz backdoorAelius Gallus

1
xz backdoor

<yd7chghjtb.fsf@UBEblock.psr.com>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=637&group=comp.unix.bsd.freebsd.misc#637

  copy link   Newsgroups: comp.unix.bsd.freebsd.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: wbe...@UBEBLOCK.psr.com.invalid (Winston)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: xz backdoor
Date: Mon, 01 Apr 2024 17:09:04 -0400
Organization: A noiseless patient Spider
Lines: 12
Message-ID: <yd7chghjtb.fsf@UBEblock.psr.com>
MIME-Version: 1.0
Content-Type: text/plain
Injection-Date: Mon, 01 Apr 2024 21:08:56 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="b12768fbfcd9883ef2f8b4e64d81a850";
logging-data="2859718"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/HTNKHzy6/pxpkXwzwCX1s"
User-Agent: Gnus/5.13 (Gnus v5.13)
Cancel-Lock: sha1:7q5Zj3Za+o5ngkN2TDPKDkp4CMs=
sha1:gby0dOJw/iuivtk0MF+HidU3Gok=
Mail-Copies-To: never
 by: Winston - Mon, 1 Apr 2024 21:09 UTC

Saw a YouTube video about a backdoor that had been snuck into xz
that affects openssh and sshd. The vulnerability was rated
10.0 of 10.0 and the Linux distros were racing to fix it.
If I remember the video correcty, the malware only got in as of
5.6.*, and older versions are not at risk. "xz --version" says
5.4.4, so it looks like FreeBSD is safe, but maybe a newer
version of FreeBSD (13.3 or the upcoming 14.1) might need to
avoid it?

Just passing on the word. This was the video:
https://www.youtube.com/watch?v=OHAyf0qwdCs
-WBE

Re: xz backdoor

<slrnv0m9l4.4hj.naddy@lorvorc.mips.inka.de>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=638&group=comp.unix.bsd.freebsd.misc#638

  copy link   Newsgroups: comp.unix.bsd.freebsd.misc
Path: i2pn2.org!i2pn.org!news.swapon.de!news.in-chemnitz.de!3.eu.feeder.erje.net!feeder.erje.net!news.szaf.org!inka.de!mips.inka.de!.POSTED.localhost!not-for-mail
From: nad...@mips.inka.de (Christian Weisgerber)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: xz backdoor
Date: Mon, 1 Apr 2024 21:27:00 -0000 (UTC)
Message-ID: <slrnv0m9l4.4hj.naddy@lorvorc.mips.inka.de>
References: <yd7chghjtb.fsf@UBEblock.psr.com>
Injection-Date: Mon, 1 Apr 2024 21:27:00 -0000 (UTC)
Injection-Info: lorvorc.mips.inka.de; posting-host="localhost:::1";
logging-data="4660"; mail-complaints-to="usenet@mips.inka.de"
User-Agent: slrn/1.0.3 (FreeBSD)
 by: Christian Weisgerber - Mon, 1 Apr 2024 21:27 UTC

On 2024-04-01, Winston <wbe@UBEBLOCK.psr.com.invalid> wrote:

> Saw a YouTube video about a backdoor that had been snuck into xz
> that affects openssh and sshd. The vulnerability was rated
> 10.0 of 10.0 and the Linux distros were racing to fix it.

It doesn't concern FreeBSD for various reasons. Here's the official
statement:

------------------->
From: Gordon Tetlow <gordon_at_tetlows.org>
Date: Fri, 29 Mar 2024 17:02:14 UTC

FreeBSD is not affected by the recently announced backdoor included in
the 5.6.0 and 5.6.1 xz releases.

All supported FreeBSD releases include versions of xz that predate the
affected releases.

The main, stable/14, and stable/13 branches do include the affected
version (5.6.0), but the backdoor components were excluded from the
vendor import. Additionally, FreeBSD does not use the upstream's build
tooling, which was a required part of the attack. Lastly, the attack
specifically targeted x86_64 Linux systems using glibc.

The FreeBSD ports collection does not include xz/liblzma.

Reference:
https://www.openwall.com/lists/oss-security/2024/03/29/4

Best regards,
Gordon Tetlow
Hat: security-officer
<-------------------

https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html

--
Christian "naddy" Weisgerber naddy@mips.inka.de

Re: xz backdoor

<uv817l$1i5p6$1@dont-email.me>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=639&group=comp.unix.bsd.freebsd.misc#639

  copy link   Newsgroups: comp.unix.bsd.freebsd.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: alex...@nospam.mail (Aelius Gallus)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: xz backdoor
Date: Thu, 11 Apr 2024 06:50:29 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 41
Message-ID: <uv817l$1i5p6$1@dont-email.me>
References: <yd7chghjtb.fsf@UBEblock.psr.com> <slrnv0m9l4.4hj.naddy@lorvorc.mips.inka.de>
Injection-Date: Thu, 11 Apr 2024 08:50:29 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="0a02bd82c2422f8cb2f87a0c42e85f20";
logging-data="1644326"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18SoGkrM8yX5b+fUqziVtO/"
User-Agent: tin/2.6.2-20221225 ("Pittyvaich") (FreeBSD/14.0-RELEASE (amd64))
Cancel-Lock: sha1:z4gBXIAFVUSwHtWeyV4yzp0o1E0=
 by: Aelius Gallus - Thu, 11 Apr 2024 06:50 UTC

Christian Weisgerber <naddy@mips.inka.de> wrote:
> On 2024-04-01, Winston <wbe@UBEBLOCK.psr.com.invalid> wrote:
>
>> Saw a YouTube video about a backdoor that had been snuck into xz
>> that affects openssh and sshd. The vulnerability was rated
>> 10.0 of 10.0 and the Linux distros were racing to fix it.
>
> It doesn't concern FreeBSD for various reasons. Here's the official
> statement:
>
> ------------------->
> From: Gordon Tetlow <gordon_at_tetlows.org>
> Date: Fri, 29 Mar 2024 17:02:14 UTC
>
> FreeBSD is not affected by the recently announced backdoor included in
> the 5.6.0 and 5.6.1 xz releases.
>
> All supported FreeBSD releases include versions of xz that predate the
> affected releases.
>
> The main, stable/14, and stable/13 branches do include the affected
> version (5.6.0), but the backdoor components were excluded from the
> vendor import. Additionally, FreeBSD does not use the upstream's build
> tooling, which was a required part of the attack. Lastly, the attack
> specifically targeted x86_64 Linux systems using glibc.
>
> The FreeBSD ports collection does not include xz/liblzma.
>
> Reference:
> https://www.openwall.com/lists/oss-security/2024/03/29/4
>
> Best regards,
> Gordon Tetlow
> Hat: security-officer
> <-------------------
>
> https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
>
Thank you for the explanation, although the technical part was above my head.


devel / comp.unix.bsd.freebsd.misc / xz backdoor

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor