Hi All,
To get the lynis-3.0.5 signature the only way I found to get it was to select the 3.0.6 signature button which gives the 404 error and then edit the url to 3.0.5
Using that 3.0.5 signature with the lynis-3.0.5 file from github gives a Bad Signature result.
So then I had to download 3.0.5 from the website, again by editing the url to 3.0.5 then I was able to get a good signature result.
So even with 3.0.5 there is a mismatch between the https://downloads.cisofy.com/lynis/lynis-3.0.6.tar.gz on the website and the https://github.com/CISOfy/lynis/releases/tag/3.0.5 version in github.
How do we know that the version that is in the https://downloads.cisofy.com/lynis/ website is the correct version. Do we just have to assume that because the other version is in github it *must* be the wrong one!!
Regards,
Adolf.
On 23/10/2021 19:06, Adolf Belka wrote:
Hi Peter,
On 23/10/2021 18:36, Peter Müller wrote:
Hello *,
trying to work through volume 5 of 100 of my TODO list, I stumbled across Lynis 3.0.6 once again. Since Packet Storm returned different source code files for every download attempt, Arne reverted Adolf's patch in https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=55cb5e9324dbec88cac95819....
Meanwhile, things have changed: Packet Storm now seems to return the same file every time, no matter where the HTTPS request comes from. Checksums of the downloaded file also match the .tar.gz available at https://downloads.cisofy.com/lynis/lynis-3.0.6.tar.gz, while GitHub still offers a different version:
$ md5sum lynis-3.0.6.tar.gz-* 23cc369984d564e4a8232473b1ace137 lynis-3.0.6.tar.gz-cisofy c5429c532653a762a55a994d565372aa lynis-3.0.6.tar.gz-github 23cc369984d564e4a8232473b1ace137 lynis-3.0.6.tar.gz-packetstorm
Worse, CISOfy used do digitally sign releases, but https://downloads.cisofy.com/lynis/lynis-3.0.6.tar.gz.asc just shows a 404 to me - while PGP signatures for previous releases are present. This is bad, and does not look like they are taking security serious there. :-/
Therefore, I would vote for not updating to Lynis 3.0.6 at the moment. Version 3.0.5 looks fine to me, at least it has a valid PGP signature. Let's hope the Lynis folks get their stuff sorted soon - preferably before releasing version 3.0.7.
I will then redo my lynis patch to update to 3.0.5 and supersede the previous version.
Adolf.
Thanks, and best regards, Peter Müller