On Fri, 2 Dec 2005, [EMAIL PROTECTED] wrote:
I know it's already some months old, but isn't this issue still valid for
lfs-svn?
thanks
Gottfried Haider
A quick google suggests that distros patched their versions of
bzip2-1.0.{1,2}, and RH at least said their patch was a backport.
The latest version of bzip2 from fedora that I can find is 1.0.2-16. I
assume that the problem is the one fixed by the "bomb" patch within
that, which we are already using.
Having said that, I'm not aware of a publically-accessible bzip2
development tree, so I might be wrong. The fedora specfile doesn't
mention this vulnerability number. Ubuntu does mention this number for
1.0.2, but I'm unclear which of their patches fix it, and I don't always
trust their analysis. The only "big guys" using 1.0.3 seem to be
gentoo, and they don't mention this as far as I can see.
Ken
--
das eine Mal als Trag?die, das andere Mal als Farce
--
http://linuxfromscratch.org/mailman/listinfo/lfs-security
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
