Hi All,

To get the lynis-3.0.5 signature the only way I found to get it was to select the 3.0.6 signature button which gives the 404 error and then edit the url to 3.0.5

Using that 3.0.5 signature with the lynis-3.0.5 file from github gives a Bad Signature result.

So then I had to download 3.0.5 from the website, again by editing the url to 3.0.5 then I was able to get a good signature result.

So even with 3.0.5 there is a mismatch between the https://downloads.cisofy.com/lynis/lynis-3.0.6.tar.gz on the website and the https://github.com/CISOfy/lynis/releases/tag/3.0.5 version in github.

How do we know that the version that is in the https://downloads.cisofy.com/lynis/ website is the correct version. Do we just have to assume that because the other version is in github it *must* be the wrong one!!

Regards,

Adolf.


On 23/10/2021 19:06, Adolf Belka wrote:
> Hi Peter,
>
> On 23/10/2021 18:36, Peter Müller wrote:
>> Hello *,
>>
>> trying to work through volume 5 of 100 of my TODO list, I stumbled across Lynis 3.0.6
>> once again. Since Packet Storm returned different source code files for every download
>> attempt, Arne reverted Adolf's patch in https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=55cb5e9324dbec88cac9581930aaee4e3a598a9b.
>>
>> Meanwhile, things have changed: Packet Storm now seems to return the same file every
>> time, no matter where the HTTPS request comes from. Checksums of the downloaded file
>> also match the .tar.gz available at https://downloads.cisofy.com/lynis/lynis-3.0.6.tar.gz,
>> while GitHub still offers a different version:
>>
>>> $ md5sum lynis-3.0.6.tar.gz-*
>>> 23cc369984d564e4a8232473b1ace137  lynis-3.0.6.tar.gz-cisofy
>>> c5429c532653a762a55a994d565372aa  lynis-3.0.6.tar.gz-github
>>> 23cc369984d564e4a8232473b1ace137 lynis-3.0.6.tar.gz-packetstorm
>> Worse, CISOfy used do digitally sign releases, but https://downloads.cisofy.com/lynis/lynis-3.0.6.tar.gz.asc
>> just shows a 404 to me - while PGP signatures for previous releases are present. This
>> is bad, and does not look like they are taking security serious there. :-/
>>
>> Therefore, I would vote for not updating to Lynis 3.0.6 at the moment. Version 3.0.5
>> looks fine to me, at least it has a valid PGP signature. Let's hope the Lynis folks
>> get their stuff sorted soon - preferably before releasing version 3.0.7.
>
> I will then redo my lynis patch to update to 3.0.5 and supersede the previous version.
>
> Adolf.
>
>> Thanks, and best regards,
>> Peter Müller