Your message dated Wed, 23 Jul 2008 16:22:48 +0200 (CEST)
with message-id <[EMAIL PROTECTED]>
and subject line CAN-2005-2096 fixed in etch, sarge unsupported
has caused the Debian Bug report #317967,
regarding [CAN-2005-2096] dpkg-deb contains a statically linked copy of zlib
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
317967: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=317967
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: dpkg
Version: 1.13.10
Severity: normal
Tags: security
dpkg-deb seems to contain a statically linked copy of zlib version
1.2.2. This means it's potentially vulnerable to CAN-2005-2096. Please
check, and advise the security team if an update for stable is required.
--- End Message ---
--- Begin Message ---
Version: 1.13.11
> > Presumably this bug was fixed in dpkg 1.13.11, which was released well
> > after the fixed zlib got into the archive. Although I've not actually
> > checked all the builds to see.
>
> This bug is also present in sarge. I think the consensus so far is
> that dpkg does need an update.
Unfortunately this was not picked up on for some reason. however, sarge is
now unsupported and we can't update dpkg anymore - etch was fixed from the
start. Closing bug.
Thijs
--- End Message ---
