From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Heads up: Backdoor in upstream xz tarball, stable version of IPFire likely unaffected, testing version somewhat affected Date: Mon, 08 Apr 2024 17:33:11 +0100 Message-ID: In-Reply-To: <4cf823b3-3545-420f-9a86-7f2723b163c4@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8244241596673396943==" List-Id: --===============8244241596673396943== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Matthias, I think there is very little point in removing those as they will be mirrored= all over the internet. We are also mirroring the Git repository which contains some bad eggs, too. Let=E2=80=99s keep this for history :) -Michael > On 5 Apr 2024, at 17:51, Matthias Fischer w= rote: >=20 > Hi, >=20 > Jm2c: >=20 > I'm working on an update (httpd 2.5.59) and just saw that the "backdoor > versions" of 'xz 5.6.0/5.6.1' are still available on ipfire.org > (/pub/sources/source-2.x). >=20 > Would it not be advisable to delete these versions so that no mischief > can be done with them? >=20 > Just m2c... >=20 > Best > Matthias >=20 > On 29.03.2024 22:53, Peter M=C3=BCller wrote: >> Hello *, >>=20 >> a quick heads-up on reports on the oss-security mailing list that indicate= the upstream >> tarball of xz containing a backdoor since version 5.6.0, with the target o= bjective appearing >> to constitute in backdooring SSH: https://openwall.com/lists/oss-security/= 2024/03/29/4 >>=20 >> Please note that this is a developing situation, so take the assessments b= elow with a >> pinch of salt. >>=20 >> - The latest stable version of IPFire, IPFire 2.29 - Core Update 184, is N= OT affected by >> the backdoor discussed in the oss-security post linked above. This is bec= ause it includes >> xz 5.4.6 (as mentioned in https://www.ipfire.org/blog/ipfire-2-29-core-up= date-184-released). >> Further, since IPFire does NOT patch OpenSSH in order to include lzma com= pression (which >> is a requirement for the unveiled backdoor to work), my understanding at = this time is that >> OpenSSH on stable IPFire installations is not affected. >>=20 >> This is further corroborated by the backdoor known so far only becoming a= ctive under >> certain build environment conditions that are not met by IPFire 2.x's bui= ld environment. >>=20 >> However, it currently appears as if the xz developer has actively worked = towards including >> a backdoor, rather than their account having been compromised. Therefore,= it may be that >> there are other backdoors in the xz upstream tarball, and that they have = been included in >> earlier versions. >>=20 >> - Forthcoming Core Update 185 includes two patches that update xz to 5.6.0= and 5.6.1, >> respectively. These versions are known to include the aforementioned Open= SSH backdoor. >> The IPFire development team will discuss reversion of xz to a version not= known to be >> affected thus far in the next few days. Currently, both Debian and Fedora= opted to >> revert back to version 5.4.5, rather than 5.4.6 (which is what IPFire cur= rently ships >> in stable Core Update 184, but is not known to include any malicious code= , which only >> commenced in version 5.6.0). >>=20 >> Again, since no custom patching of OpenSSH is in place, the unveiled SSH = backdoor would >> not have been functional on IPFire installations. >>=20 >> IPFire is currently unaware of the unveiled backdoor impacting any other s= ervice that is >> usually directly exposed on IPFire installations to the internet, such as = OpenVPN or IPsec. >>=20 >> For reference, CVE-2024-3094 has been assigned by Red Hat for this issue. >>=20 >> Thanks, and best regards, >> Peter M=C3=BCller >=20 --===============8244241596673396943==--