OK, the following was in the GLSA
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 emul-linux-x86-baselibs < 2.2 >= 2.2
-------------------------------------------------------------------
# Package 1 only applies to AMD64 users.
I upgraded to 2.2.2 yesterday. Now, it wants to downgrade to 2.1.2, which
the above says will still be vulnerable.
Looking at the changelog, it appears 2.2.x had quite a number of bugs.
There's a statement in there that /appears/ to suggest that the fixes for
the zlib security issue were backported to the new 2.1.2, but we don't
have an updated GLSA officially confirming that. As this is a security
issue, I'm sure folks can understand why I'm a bit leery of trusting a
changelog entry that's contradicting an official GLSA.
Is the 2.1.2 legit and fixed, or is somebody trying to man-in-the-middle
things? Assuming it's legit, would it be possible to have a duly and
officially signed GLSA update to that effect?
In the admittedly unlikely event that it's /not/ legit, then we have a
/very/ serious man-in-the-middle cracking attempt going on!
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman in
http://www.linuxdevcenter.com/pub/a/linux/2004/12/22/rms_interview.html
--
[email protected] mailing list
