Hi Peter,
On 23/10/2021 18:36, Peter Müller wrote:
Hello *,
trying to work through volume 5 of 100 of my TODO list, I stumbled across Lynis 3.0.6 once again. Since Packet Storm returned different source code files for every download attempt, Arne reverted Adolf's patch in https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=55cb5e9324dbec88cac95819....
Meanwhile, things have changed: Packet Storm now seems to return the same file every time, no matter where the HTTPS request comes from. Checksums of the downloaded file also match the .tar.gz available at https://downloads.cisofy.com/lynis/lynis-3.0.6.tar.gz, while GitHub still offers a different version:
$ md5sum lynis-3.0.6.tar.gz-* 23cc369984d564e4a8232473b1ace137 lynis-3.0.6.tar.gz-cisofy c5429c532653a762a55a994d565372aa lynis-3.0.6.tar.gz-github 23cc369984d564e4a8232473b1ace137 lynis-3.0.6.tar.gz-packetstorm
Worse, CISOfy used do digitally sign releases, but https://downloads.cisofy.com/lynis/lynis-3.0.6.tar.gz.asc just shows a 404 to me - while PGP signatures for previous releases are present. This is bad, and does not look like they are taking security serious there. :-/
Therefore, I would vote for not updating to Lynis 3.0.6 at the moment. Version 3.0.5 looks fine to me, at least it has a valid PGP signature. Let's hope the Lynis folks get their stuff sorted soon - preferably before releasing version 3.0.7.
I will then redo my lynis patch to update to 3.0.5 and supersede the previous version.
Adolf.
Thanks, and best regards, Peter Müller