| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Cc: | Andres Freund <andres(at)anarazel(dot)de> |
| Subject: | Re: Security lessons from liblzma |
| Date: | 2024-04-01 20:58:07 |
| Message-ID: | Zgsf3wCRUeHKGigu@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Mar 29, 2024 at 06:37:24PM -0400, Bruce Momjian wrote:
> You might have seen reports today about a very complex exploit added to
> recent versions of liblzma. Fortunately, it was only enabled two months
> ago and has not been pushed to most stable operating systems like Debian
> and Ubuntu. The original detection report is:
>
> https://www.openwall.com/lists/oss-security/2024/03/29/4
I was watching this video about the exploit:
https://www.youtube.com/watch?v=bS9em7Bg0iU
and at 2:29, they mention "hero software developer", our own Andres
Freund as the person who discovered the exploit. I noticed the author's
name at the openwall email link above, but I assumed it was someone else
with the same name. They mentioned it was found while researching
Postgres performance, and then I noticed the email address matched!
I thought the analogy he uses at the end of the video is very clear.
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2024-04-01 20:59:51 | Re: Security lessons from liblzma |
| Previous Message | Robert Haas | 2024-04-01 20:40:44 | Re: On disable_cost |