From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: Heads up: Backdoor in upstream xz tarball, stable version of IPFire likely unaffected, testing version somewhat affected Date: Fri, 05 Apr 2024 18:51:47 +0200 Message-ID: <4cf823b3-3545-420f-9a86-7f2723b163c4@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7882697816446865193==" List-Id: --===============7882697816446865193== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, Jm2c: I'm working on an update (httpd 2.5.59) and just saw that the "backdoor versions" of 'xz 5.6.0/5.6.1' are still available on ipfire.org (/pub/sources/source-2.x). Would it not be advisable to delete these versions so that no mischief can be done with them? Just m2c... Best Matthias On 29.03.2024 22:53, Peter M=C3=BCller wrote: > Hello *, >=20 > a quick heads-up on reports on the oss-security mailing list that indicate = the upstream > tarball of xz containing a backdoor since version 5.6.0, with the target ob= jective appearing > to constitute in backdooring SSH: https://openwall.com/lists/oss-security/2= 024/03/29/4 >=20 > Please note that this is a developing situation, so take the assessments be= low with a > pinch of salt. >=20 > - The latest stable version of IPFire, IPFire 2.29 - Core Update 184, is NO= T affected by > the backdoor discussed in the oss-security post linked above. This is bec= ause it includes > xz 5.4.6 (as mentioned in https://www.ipfire.org/blog/ipfire-2-29-core-up= date-184-released). > Further, since IPFire does NOT patch OpenSSH in order to include lzma com= pression (which > is a requirement for the unveiled backdoor to work), my understanding at = this time is that > OpenSSH on stable IPFire installations is not affected. >=20 > This is further corroborated by the backdoor known so far only becoming a= ctive under > certain build environment conditions that are not met by IPFire 2.x's bui= ld environment. >=20 > However, it currently appears as if the xz developer has actively worked = towards including > a backdoor, rather than their account having been compromised. Therefore,= it may be that > there are other backdoors in the xz upstream tarball, and that they have = been included in > earlier versions. >=20 > - Forthcoming Core Update 185 includes two patches that update xz to 5.6.0 = and 5.6.1, > respectively. These versions are known to include the aforementioned Open= SSH backdoor. > The IPFire development team will discuss reversion of xz to a version not= known to be > affected thus far in the next few days. Currently, both Debian and Fedora= opted to > revert back to version 5.4.5, rather than 5.4.6 (which is what IPFire cur= rently ships > in stable Core Update 184, but is not known to include any malicious code= , which only > commenced in version 5.6.0). >=20 > Again, since no custom patching of OpenSSH is in place, the unveiled SSH = backdoor would > not have been functional on IPFire installations. >=20 > IPFire is currently unaware of the unveiled backdoor impacting any other se= rvice that is > usually directly exposed on IPFire installations to the internet, such as O= penVPN or IPsec. >=20 > For reference, CVE-2024-3094 has been assigned by Red Hat for this issue. >=20 > Thanks, and best regards, > Peter M=C3=BCller --===============7882697816446865193==--