From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Heads up: Backdoor in upstream xz tarball, stable version of IPFire likely unaffected, testing version somewhat affected Date: Fri, 29 Mar 2024 21:53:00 +0000 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7419596015810480762==" List-Id: --===============7419596015810480762== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello *, a quick heads-up on reports on the oss-security mailing list that indicate th= e upstream tarball of xz containing a backdoor since version 5.6.0, with the target obje= ctive appearing to constitute in backdooring SSH: https://openwall.com/lists/oss-security/202= 4/03/29/4 Please note that this is a developing situation, so take the assessments belo= w with a pinch of salt. - The latest stable version of IPFire, IPFire 2.29 - Core Update 184, is NOT = affected by the backdoor discussed in the oss-security post linked above. This is becau= se it includes xz 5.4.6 (as mentioned in https://www.ipfire.org/blog/ipfire-2-29-core-upda= te-184-released). Further, since IPFire does NOT patch OpenSSH in order to include lzma compr= ession (which is a requirement for the unveiled backdoor to work), my understanding at th= is time is that OpenSSH on stable IPFire installations is not affected. This is further corroborated by the backdoor known so far only becoming act= ive under certain build environment conditions that are not met by IPFire 2.x's build= environment. However, it currently appears as if the xz developer has actively worked to= wards including a backdoor, rather than their account having been compromised. Therefore, i= t may be that there are other backdoors in the xz upstream tarball, and that they have be= en included in earlier versions. - Forthcoming Core Update 185 includes two patches that update xz to 5.6.0 an= d 5.6.1, respectively. These versions are known to include the aforementioned OpenSS= H backdoor. The IPFire development team will discuss reversion of xz to a version not k= nown to be affected thus far in the next few days. Currently, both Debian and Fedora o= pted to revert back to version 5.4.5, rather than 5.4.6 (which is what IPFire curre= ntly ships in stable Core Update 184, but is not known to include any malicious code, = which only commenced in version 5.6.0). Again, since no custom patching of OpenSSH is in place, the unveiled SSH ba= ckdoor would not have been functional on IPFire installations. IPFire is currently unaware of the unveiled backdoor impacting any other serv= ice that is usually directly exposed on IPFire installations to the internet, such as Ope= nVPN or IPsec. For reference, CVE-2024-3094 has been assigned by Red Hat for this issue. Thanks, and best regards, Peter M=C3=BCller --===============7419596015810480762==--