HEADS UP: backdoor in upstream xz/liblzma leading to ssh server compromise - HardenedBSD unaffected
10 views
Skip to first unread message
Shawn Webb
Mar 29, 2024, 2:43:23 PMMar 29
to HardenedBSD Users
Hey all,
A backdoor targeting amd64 linux glibc based systems was recently
found in the xz project. A link to the oss-security mailing list
announcement post is included below. The versions of xz impacted are
5.6.0 and 5.6.1.
Neither FreeBSD nor HardenedBSD are directly affected by this issue.
However, I suspect that those running an amd64 linux glibc jail on
FreeBSD (or HardenedBSD) have the potential to be affected.
Note that the linux.ko and linux64.ko kernel modules are tagged as
insecure/untrustworthy by default in HardenedBSD. Those wishing to
deploy a Linux environment on HardenedBSD must explicitly enable the
Linux syscall translation kernel modules (linux.ko and linux64.ko).
Please let me know if you have any questions, comments, or concerns.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
A backdoor targeting amd64 linux glibc based systems was recently
found in the xz project. A link to the oss-security mailing list
announcement post is included below. The versions of xz impacted are
5.6.0 and 5.6.1.
Neither FreeBSD nor HardenedBSD are directly affected by this issue.
However, I suspect that those running an amd64 linux glibc jail on
FreeBSD (or HardenedBSD) have the potential to be affected.
Note that the linux.ko and linux64.ko kernel modules are tagged as
insecure/untrustworthy by default in HardenedBSD. Those wishing to
deploy a Linux environment on HardenedBSD must explicitly enable the
Linux syscall translation kernel modules (linux.ko and linux64.ko).
Please let me know if you have any questions, comments, or concerns.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Shawn Webb
Mar 29, 2024, 2:49:14 PMMar 29
to HardenedBSD Users
On Fri, Mar 29, 2024 at 06:43:19PM +0000, Shawn Webb wrote:
> Hey all,
>
> A backdoor targeting amd64 linux glibc based systems was recently
> found in the xz project. A link to the oss-security mailing list
> announcement post is included below. The versions of xz impacted are
> 5.6.0 and 5.6.1.
>
> Neither FreeBSD nor HardenedBSD are directly affected by this issue.
> However, I suspect that those running an amd64 linux glibc jail on
> FreeBSD (or HardenedBSD) have the potential to be affected.
>
> Note that the linux.ko and linux64.ko kernel modules are tagged as
> insecure/untrustworthy by default in HardenedBSD. Those wishing to
> deploy a Linux environment on HardenedBSD must explicitly enable the
> Linux syscall translation kernel modules (linux.ko and linux64.ko).
>
> Please let me know if you have any questions, comments, or concerns.
Silly me, I forgot to include the link:
> Hey all,
>
> A backdoor targeting amd64 linux glibc based systems was recently
> found in the xz project. A link to the oss-security mailing list
> announcement post is included below. The versions of xz impacted are
> 5.6.0 and 5.6.1.
>
> Neither FreeBSD nor HardenedBSD are directly affected by this issue.
> However, I suspect that those running an amd64 linux glibc jail on
> FreeBSD (or HardenedBSD) have the potential to be affected.
>
> Note that the linux.ko and linux64.ko kernel modules are tagged as
> insecure/untrustworthy by default in HardenedBSD. Those wishing to
> deploy a Linux environment on HardenedBSD must explicitly enable the
> Linux syscall translation kernel modules (linux.ko and linux64.ko).
>
> Please let me know if you have any questions, comments, or concerns.
https://www.openwall.com/lists/oss-security/2024/03/29/4
This is also being tracked as CVE-2024-3094.
Christian Severt
Mar 29, 2024, 3:04:21 PMMar 29
to Shawn Webb, HardenedBSD Users
Thanks Shawn,
Holy crap, was this what was lighting VINCE up this morning?
Thanks,
Christian
Thanks,
Christian
From: Shawn Webb <shawn...@hardenedbsd.org>
Sent: Friday, March 29, 2024 11:49:10 AM
To: HardenedBSD Users <us...@hardenedbsd.org>
Subject: Re: HEADS UP: backdoor in upstream xz/liblzma leading to ssh server compromise - HardenedBSD unaffected
Sent: Friday, March 29, 2024 11:49:10 AM
To: HardenedBSD Users <us...@hardenedbsd.org>
Subject: Re: HEADS UP: backdoor in upstream xz/liblzma leading to ssh server compromise - HardenedBSD unaffected
CAUTION: This email originated from an external sender. Please do not click links or open attachments unless you recognize the sender and know the content is safe.
Reply all
Reply to author
Forward
0 new messages