Re: changlog for bzip2

To: debian-security@lists.debian.org
Subject: Re: changlog for bzip2
From: Anibal Monsalve Salazar <anibal@debian.org>
Date: Tue, 7 Jun 2005 14:18:52 +1000
Message-id: <[🔎] 20050607041852.GO2036@debianrules.debiancolombia.org>
In-reply-to: <[🔎] 20050607040013.GB8673@ixeon.local>
References: <[🔎] 20050607013105.GA8459@ixeon.local> <[🔎] 20050607021419.GM2036@debianrules.debiancolombia.org> <[🔎] 20050607022551.GN2036@debianrules.debiancolombia.org> <[🔎] 20050607040013.GB8673@ixeon.local>

On Tue, Jun 07, 2005 at 12:00:13AM -0400, George Georgalis wrote:
>On Tue, Jun 07, 2005 at 12:25:51PM +1000, Anibal Monsalve Salazar wrote:
>>On Tue, Jun 07, 2005 at 12:14:19PM +1000, Anibal Monsalve Salazar wrote:
>>>On Mon, Jun 06, 2005 at 09:31:05PM -0400, George Georgalis wrote:
>>>>
>>>>This was the changelog.Debian.gz entry for the last bzip2 update:
>>>>
>>>>bzip2 (1.0.2-1.woody2) stable-security; urgency=high
>>>>
>>>>  * Non-maintainer upload by the Security Team
>>>>  * No changes rebuild because maintainer prevented distribution of
>>>>    security fix, thanks a lot!
>>>>
>>>>The only useful information I see threre is "urgency=high" -- but no
>>>>clear explinaton.  Was this just an incomplete log? The maintainer did
>>>>not respond to my inquiry. Is there a CAN?  Is there a better file to
>>>>extract specific info from?
>>>>
>>>>I can read;  but the second point is ambigous, the first point doesn't
>>>>help, nor does the urgency level.  So what exactly happened?
>>>
>>>I uploaded bzip2 1.0.2-1.1 to stable which clashed with Martin
>>>Schulze's plan.
>>>
>>>1.0.2-1.woody2 is the same as 1.0.2-1.1.
>>>
>>> bzip2 (1.0.2-1.1) stable; urgency=medium
>>> .
>>>   * Fixed RC bug "file permissions modification race (CAN-2005-0953)", closes:
>>>     #303300. Patch by Santiago Ruano Rincon <santiago@unicauca.edu.co>.
>>>     Original patch available at
>>>     http://marc.theaimsgroup.com/?l=bugtraq&m=111352423504277&w=2
>>>
>>>I submitted 1.0.2-1.woody3 and Martin included in the last release
>>>of woody.
>>
>>Aparently, he didn't include it in the last release of woody.
>>
>>> bzip2 (1.0.2-1.woody3) stable-security; urgency=high
>>> .
>>>   * Fixed "CAN-2005-1260 decompression bomb vulnerability", closes: #310803.
>>>     Patch by Martin Pitt <martin.pitt@ubuntu.com>.
>
>Okay, so "Woody" is still exposed to CAN-2005-0953 and CAN-2005-1260,
>I've not tried a dist-upgrade yet...

CAN-2005-0953 is fixed in woody by bzip2 1.0.2-1.woody2. However,
CAN-2005-1260 is not. I cannot see bzip2 1.0.2-1.woody3 in woody.

You can find bzip2 1.0.2-1.woody3 and the patch for #310803 at:

http://people.debian.org/~anibal/debian/bzip2/

Anibal Monsalve Salazar
--
 .''`. Debian GNU/Linux
: :' : Free Operating System
`. `'  http://debian.org/
  `-   http://v7w.com/anibal

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: changlog for bzip2
  - From: "George Georgalis" <george@galis.org>

References:
- changlog for bzip2
  - From: "George Georgalis" <george@galis.org>
- Re: changlog for bzip2
  - From: Anibal Monsalve Salazar <anibal@debian.org>
- Re: changlog for bzip2
  - From: Anibal Monsalve Salazar <anibal@debian.org>
- Re: changlog for bzip2
  - From: "George Georgalis" <george@galis.org>

Prev by Date: Re: changlog for bzip2
Next by Date: Re: changlog for bzip2
Previous by thread: Re: changlog for bzip2
Next by thread: Re: changlog for bzip2
Index(es):
- Date
- Thread