OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 10-Jun-2005 20:28:10
Branch: HEAD Handle: 2005061019281000
Modified files:
openpkg-web/security OpenPKG-SA-2005.009-gzip.txt
Log:
small cosmetics
Summary:
Revision Changes Path
1.4 +11 -10 openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt
============================================================================
$ cvs diff -u -r1.3 -r1.4 OpenPKG-SA-2005.009-gzip.txt
--- openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt 10 Jun 2005 15:42:33
-0000 1.3
+++ openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt 10 Jun 2005 18:28:10
-0000 1.4
@@ -3,7 +3,7 @@
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
-OpenPKG-SA-2005.009 10-June-2005
+OpenPKG-SA-2005.009 10-Jun-2005
________________________________________________________________________
Package: gzip
@@ -18,21 +18,21 @@
Dependent Packages: none
Description:
- According to a Debian bug report [0], Ulf Harnhammar discovered
- an input validation error in the gzip data compressor [1]. Because
+ According to a Debian bug report [0], Ulf Harnhammar discovered an
+ input validation error in the GZip data compressor [1]. Because
gzip(1) fails to properly validate file paths during decompression
with the "-N" argument, a remote attacker using a malicious archive
could corrupt arbitrary files with the privileges of the user that
is running gzip(1). The Common Vulnerabilities and Exposures (CVE)
project assigned the identifier CAN-2005-1228 [2] to this problem.
- Because the openpkg bootstrap package embeds gzip, it may be affected
- as well. Please refer to OpenPKG-SA-2005.010-openpkg for details [3].
+ Because the OpenPKG bootstrap package embeds GZip, it is affected as
+ well. Please refer to OpenPKG-SA-2005.010-openpkg for details [3].
Please check whether you are affected by running "<prefix>/bin/openpkg
- rpm -q gzip". If you have the "gzip" package installed and its
- version is affected (see above), we recommend that you immediately
- upgrade it (see Solution) and any dependent packages as well [4][5].
+ rpm -q gzip". If you have the "gzip" package installed and its version
+ is affected (see above), we recommend that you immediately upgrade it
+ (see Solution) and any dependent packages as well [4][5].
Solution:
Select the updated source RPM appropriate for your OpenPKG release
@@ -54,8 +54,9 @@
# <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/gzip-1.3.5-2.3.1.*.rpm
We recommend that you rebuild and reinstall any dependent packages
- (see above) as well [4][5]. The openpkg build tool can be instrumental
- in consistently updating and securing the entire OpenPKG instance.
+ (see above) as well [4][5]. The "openpkg build" tool can be
+ instrumental in consistently updating and securing the entire OpenPKG
+ instance.
________________________________________________________________________
References:
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [email protected]
