Re: changlog for bzip2
On Tue, Jun 07, 2005 at 12:25:51PM +1000, Anibal Monsalve Salazar wrote:
>On Tue, Jun 07, 2005 at 12:14:19PM +1000, Anibal Monsalve Salazar wrote:
>>On Mon, Jun 06, 2005 at 09:31:05PM -0400, George Georgalis wrote:
>>>
>>>This was the changelog.Debian.gz entry for the last bzip2 update:
>>>
>>>bzip2 (1.0.2-1.woody2) stable-security; urgency=high
>>>
>>> * Non-maintainer upload by the Security Team
>>> * No changes rebuild because maintainer prevented distribution of
>>> security fix, thanks a lot!
>>>
>>>The only useful information I see threre is "urgency=high" -- but no
>>>clear explinaton. Was this just an incomplete log? The maintainer did
>>>not respond to my inquiry. Is there a CAN? Is there a better file to
>>>extract specific info from?
>>>
>>>I can read; but the second point is ambigous, the first point doesn't
>>>help, nor does the urgency level. So what exactly happened?
>>
>>I uploaded bzip2 1.0.2-1.1 to stable which clashed with Martin
>>Schulze's plan.
>>
>>1.0.2-1.woody2 is the same as 1.0.2-1.1.
>>
>> bzip2 (1.0.2-1.1) stable; urgency=medium
>> .
>> * Fixed RC bug "file permissions modification race (CAN-2005-0953)", closes:
>> #303300. Patch by Santiago Ruano Rincon <santiago@unicauca.edu.co>.
>> Original patch available at
>> http://marc.theaimsgroup.com/?l=bugtraq&m=111352423504277&w=2
>>
>>I submitted 1.0.2-1.woody3 and Martin included in the last release
>>of woody.
>
>Aparently, he didn't include it in the last release of woody.
>
>> bzip2 (1.0.2-1.woody3) stable-security; urgency=high
>> .
>> * Fixed "CAN-2005-1260 decompression bomb vulnerability", closes: #310803.
>> Patch by Martin Pitt <martin.pitt@ubuntu.com>.
>
Okay, so "Woody" is still exposed to CAN-2005-0953 and CAN-2005-1260,
I've not tried a dist-upgrade yet...
// George
--
George Georgalis, systems architect, administrator Linux BSD IXOYE
http://galis.org/george/ cell:646-331-2027 mailto:george@galis.org
Reply to: