We were told by Michal Zalewski that gzexe as shipped with gzip uses an unsecure method decompressing executables on the fly opening a way of calling arbitrary programs. Newer versions for bo and hamm are fixing this. We recommend you upgrade your gzip package if you're using the gzexe method. dpkg -i file.deb will install the referenced file. Debian GNU/Linux 1.3.1 alias bo ------------------------------- Source archives: ftp://ftp.debian.org/debian/bo/source/base/gzip_1.2.4-26.1.diff.gz MD5 checksum: d2954d118da06e4a0dc5f92890dc9fcc ftp://ftp.debian.org/debian/bo/source/base/gzip_1.2.4-26.1.dsc MD5 checksum: 223bfd632a6d39334f50db5b5f5c0119 ftp://ftp.debian.org/debian/bo/source/base/gzip_1.2.4.orig.tar.gz MD5 checksum: b94b3e07797e0cbf3622bb2fe5682f0b Intel architecture: ftp://ftp.debian.org/debian/bo/binary-i386/base/gzip_1.2.4-26.1.deb MD5 checksum: 1f7cb9c0f4c4377cc762e2a00575274d Debian GNU/Linux pre2.0 alias hamm ---------------------------------- Source archives: ftp://ftp.debian.org/debian/hamm/hamm/source/base/gzip_1.2.4-27.diff.gz MD5 checksum: 01e579067ea2555fcaf80c87e4cb837c ftp://ftp.debian.org/debian/hamm/hamm/source/base/gzip_1.2.4-27.dsc MD5 checksum: d944c76a8994d60c91ae7a59f0e4419c ftp://ftp.debian.org/debian/hamm/hamm/source/base/gzip_1.2.4.orig.tar.gz MD5 checksum: b94b3e07797e0cbf3622bb2fe5682f0b Alpha architecture: ftp://ftp.debian.org/debian/hamm/hamm/binary-alpha/base/gzip_1.2.4-27.deb MD5 checksum: 450cdf045e782ec563ac20ecf96da191 Intel architecture: ftp://ftp.debian.org/debian/hamm/hamm/binary-i386/base/gzip_1.2.4-27.deb MD5 checksum: c172997abdc49c215358613016a9568a Motorola 68xxx architecture: ftp://ftp.debian.org/debian/hamm/hamm/binary-m68k/base/gzip_1.2.4-27.deb MD5 checksum: ed7203870b6f7358f9bf1d3427ca5138 PowerPC architecture: This architecture is considered experemental. No fixed gzip package can be provided. Use at your own risk. Sparc architecture: ftp://ftp.debian.org/debian/hamm/hamm/binary-sparc/base/gzip_1.2.4-27.deb MD5 checksum: 3183f4805ef2ed38009cf0ce3df4441d -- Debian GNU/Linux . Security Managers . security@debian.org debian-security-announce@lists.debian.org Christian Hudon <chrish@debian.org> . Martin Schulze <joey@debian.org>
Attachment:
pgpzUiQqaMbV3.pgp
Description: PGP signature