On Tue, Jun 07, 2005 at 12:00:13AM -0400, George Georgalis wrote: >On Tue, Jun 07, 2005 at 12:25:51PM +1000, Anibal Monsalve Salazar wrote: >>On Tue, Jun 07, 2005 at 12:14:19PM +1000, Anibal Monsalve Salazar wrote: >>>On Mon, Jun 06, 2005 at 09:31:05PM -0400, George Georgalis wrote: >>>> >>>>This was the changelog.Debian.gz entry for the last bzip2 update: >>>> >>>>bzip2 (1.0.2-1.woody2) stable-security; urgency=high >>>> >>>> * Non-maintainer upload by the Security Team >>>> * No changes rebuild because maintainer prevented distribution of >>>> security fix, thanks a lot! >>>> >>>>The only useful information I see threre is "urgency=high" -- but no >>>>clear explinaton. Was this just an incomplete log? The maintainer did >>>>not respond to my inquiry. Is there a CAN? Is there a better file to >>>>extract specific info from? >>>> >>>>I can read; but the second point is ambigous, the first point doesn't >>>>help, nor does the urgency level. So what exactly happened? >>> >>>I uploaded bzip2 1.0.2-1.1 to stable which clashed with Martin >>>Schulze's plan. >>> >>>1.0.2-1.woody2 is the same as 1.0.2-1.1. >>> >>> bzip2 (1.0.2-1.1) stable; urgency=medium >>> . >>> * Fixed RC bug "file permissions modification race (CAN-2005-0953)", closes: >>> #303300. Patch by Santiago Ruano Rincon <santiago@unicauca.edu.co>. >>> Original patch available at >>> http://marc.theaimsgroup.com/?l=bugtraq&m=111352423504277&w=2 >>> >>>I submitted 1.0.2-1.woody3 and Martin included in the last release >>>of woody. >> >>Aparently, he didn't include it in the last release of woody. >> >>> bzip2 (1.0.2-1.woody3) stable-security; urgency=high >>> . >>> * Fixed "CAN-2005-1260 decompression bomb vulnerability", closes: #310803. >>> Patch by Martin Pitt <martin.pitt@ubuntu.com>. > >Okay, so "Woody" is still exposed to CAN-2005-0953 and CAN-2005-1260, >I've not tried a dist-upgrade yet... CAN-2005-0953 is fixed in woody by bzip2 1.0.2-1.woody2. However, CAN-2005-1260 is not. I cannot see bzip2 1.0.2-1.woody3 in woody. You can find bzip2 1.0.2-1.woody3 and the patch for #310803 at: http://people.debian.org/~anibal/debian/bzip2/ Anibal Monsalve Salazar -- .''`. Debian GNU/Linux : :' : Free Operating System `. `' http://debian.org/ `- http://v7w.com/anibal
Attachment:
signature.asc
Description: Digital signature