Package: gzip Version: 1.3.5-15 Mike Frysinger <[EMAIL PROTECTED]> writes about <ftp://alpha.gnu.org/gnu/gzip/gzip-1.3.7.tar.gz> as follows:
> the attached patch [mostly] applies to current CVS ... i'm not familiar with > gzip/zlib code so better to let the experts decide if this issue has been > fully accounted for :) <http://www.debian.org/security/2006/dsa-1181> says that CVE-2006-4334 through -4338 have been fixed in Debian version 1.3.5-15. 1.3.5-15 patched unlzh.c and unpack.c in quite a different way than 1.3.5-10sarge2 (which was the patch you forwarded to me). I don't know why two markedly different patches were applied, but I assume that either set will do, and I took the 1.3.5-15 patches as being simpler and easier to understand. I will CC: this to the Debian bug list so that the issue can be documented there. Is it intended that gzip 1.3.5-15 use quite a different patch set than 1.3.5-10sarge2, and that either patch fixes the security holes in question? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
