The 3rd-party security advisory suggests that the bugs are fixed in UnZip 6.1c23:
https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html See unzip610c23.zip here: http://antinode.info/ftp/info-zip/ Unfortunately, this is a zip file, unlike the 9 year old tarball on the UnZip SourceForge page. Any advice? I suppose we could keep the old UnZip package just to unpack the new one.
signature.asc
Description: PGP signature
