On Mon, 2005-08-01 at 07:12 -0700, Duncan wrote: > OK, the following was in the GLSA > > ------------------------------------------------------------------- > Package / Vulnerable / Unaffected > ------------------------------------------------------------------- > 1 emul-linux-x86-baselibs < 2.2 >= 2.2 > ------------------------------------------------------------------- > # Package 1 only applies to AMD64 users. > > I upgraded to 2.2.2 yesterday. Now, it wants to downgrade to 2.1.2, which > the above says will still be vulnerable. > > Looking at the changelog, it appears 2.2.x had quite a number of bugs. > There's a statement in there that /appears/ to suggest that the fixes for > the zlib security issue were backported to the new 2.1.2, but we don't > have an updated GLSA officially confirming that. As this is a security > issue, I'm sure folks can understand why I'm a bit leery of trusting a > changelog entry that's contradicting an official GLSA. > > Is the 2.1.2 legit and fixed, or is somebody trying to man-in-the-middle > things? Assuming it's legit, would it be possible to have a duly and > officially signed GLSA update to that effect? > > In the admittedly unlikely event that it's /not/ legit, then we have a > /very/ serious man-in-the-middle cracking attempt going on! > > -- > Duncan - List replies preferred. No HTML msgs. > "Every nonfree program has a lord, a master -- > and if you use the program, he is your master." Richard Stallman in > http://www.linuxdevcenter.com/pub/a/linux/2004/12/22/rms_interview.html > >
2.2.* was a repackage of all the libs, and it was missing a few of them. 2.1.2 is the same libs as 2.1, but with updated zlib to fix the security bugs. Allan -- [email protected] mailing list
