tcpdump mailing list archives
Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster)
From: Francois-Xavier Le Bail via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Tue, 2 Apr 2024 14:06:28 +0200
--- Begin Message --- From: Francois-Xavier Le Bail <devel.fx.lebail () orange fr>
Date: Tue, 2 Apr 2024 14:06:28 +0200
On 01/04/2024 20:18, Guy Harris wrote:On Apr 1, 2024, at 6:53 AM, Michael Richardson <mcr () sandelman ca> wrote:I wonder if we should nuke our own make tarball system.I.e., replace: to get {libpcap,tcpdump,tcpslice} version X.Y.Z, download {libpcap,tcpdump,tcpslice}-X.Y.Z.tar.{compression-suffix} with to get {libpcap,tcpdump,tcpslice} version X.Y.Z, do git clone {repository} and then check out Git tag {libpcap,tcpdump,tcpslice}-X.Y.Z? If so, do we 1) require people to have autotools installed and run ./autogen.sh or 2) generate the configure scripts on some standard platform and check it in so that they have a configure script? Or is there some other way to arrange that people can get the configure scripts?Even if we keep the tarball archive, we could have a host compromise (bad autoconf, etc.) and if the "configure" script is generated on it, we risk to open a door to an attack. Thus, don't deliver "configure" in the tarball and ask to run "./autogen.sh" with autotools installed.
--- End Message ---
_______________________________________________ tcpdump-workers mailing list -- tcpdump-workers () lists tcpdump org To unsubscribe send an email to tcpdump-workers-leave () lists tcpdump org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
Current thread:
- openwrt Conclusions from CVE-2024-3094 (libxz disaster) Michael Richardson (Apr 01)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Bill Fenner (Apr 01)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Michael Richardson (Apr 01)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Bill Fenner (Apr 01)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Michael Richardson (Apr 01)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Guy Harris (Apr 01)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Francois-Xavier Le Bail via tcpdump-workers (Apr 01)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Michael Richardson (Apr 01)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Francois-Xavier Le Bail via tcpdump-workers (Apr 02)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Denis Ovsienko (Apr 02)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Denis Ovsienko (Apr 03)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Bill Fenner (Apr 01)
- Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster) Denis Ovsienko (Apr 01)