On Fri, Mar 29, 2024 at 06:37:24PM -0400, Bruce Momjian wrote:
> You might have seen reports today about a very complex exploit added to
> recent versions of liblzma. Fortunately, it was only enabled two months
> ago and has not been pushed to most stable operating systems like Debian
> and Ubuntu. The original detection report is:
>
> https://www.openwall.com/lists/oss-security/2024/03/29/4
I was watching this video about the exploit:
https://www.youtube.com/watch?v=bS9em7Bg0iU
and at 2:29, they mention "hero software developer", our own Andres
Freund as the person who discovered the exploit. I noticed the author's
name at the openwall email link above, but I assumed it was someone else
with the same name. They mentioned it was found while researching
Postgres performance, and then I noticed the email address matched!
I thought the analogy he uses at the end of the video is very clear.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.