Re: Security lessons from liblzma - libsystemd
Étienne BERSAC <etienne.bersac@dalibo.com>
From: Étienne BERSAC <etienne.bersac@dalibo.com>
To: Peter Eisentraut <peter@eisentraut.org>, Magnus Hagander <magnus@hagander.net>, Andres Freund <andres@anarazel.de>
Cc: Bruce Momjian <bruce@momjian.us>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2024-04-08T10:05:18Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Introduce a non-recursive JSON parser
- 3311ea86edc7 17.0 cited
Hi, > There are many more interesting and scary libraries in the dependency > tree of "postgres", so just picking off one right now doesn't really > accomplish anything. The next release of libsystemd will drop all > the compression libraries as hard dependencies, so the issue in that > sense is gone anyway. Also, fun fact: liblzma is also a dependency > via libxml2. Having an audit of all libraries linked to postgres and their level of trust should help to point the next weak point. I'm pretty sure we have several of these tiny libraries maintained by a lone out of time hacker linked somewhere. What is the next xz ? Regards, Étienne -- DALIBO