| From: | Étienne BERSAC <etienne(dot)bersac(at)dalibo(dot)com> |
|---|---|
| To: | Peter Eisentraut <peter(at)eisentraut(dot)org>, Magnus Hagander <magnus(at)hagander(dot)net>, Andres Freund <andres(at)anarazel(dot)de> |
| Cc: | Bruce Momjian <bruce(at)momjian(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Security lessons from liblzma - libsystemd |
| Date: | 2024-04-08 10:05:18 |
| Message-ID: | 7ec2fbbb35bee29c8f033606ef172c0b8a82727b.camel@dalibo.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
> There are many more interesting and scary libraries in the dependency
> tree of "postgres", so just picking off one right now doesn't really
> accomplish anything. The next release of libsystemd will drop all
> the compression libraries as hard dependencies, so the issue in that
> sense is gone anyway. Also, fun fact: liblzma is also a dependency
> via libxml2.
Having an audit of all libraries linked to postgres and their level of
trust should help to point the next weak point. I'm pretty sure we have
several of these tiny libraries maintained by a lone out of time hacker
linked somewhere. What is the next xz ?
Regards,
Étienne
--
DALIBO
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Kapila | 2024-04-08 10:31:41 | Re: Synchronizing slots from primary to standby |
| Previous Message | Pavel Borisov | 2024-04-08 09:59:43 | Re: Table AM Interface Enhancements |