FYI: Correction, regarding Cyber Security Bulletin SB05-320 (fwd)

[David Eisenstein]

Just wanted to let you all know I sent this out to US-CERT, for when they
publish updates including notice of our security fixes.		-David

---------- Forwarded message ----------
From: David Eisenstein <deisenst at gtw.net>
To: soc at us-cert.gov
Date: Tue, 22 Nov 2005 01:57:15 -0600 (CST)
Subject: Correction, regarding Cyber Security Bulletin SB05-320

Hi,

According to <http://www.us-cert.gov/cas/bulletins/SB05-320.html#zgrep>,
Fedora Legacy issued an advisory FLSA:158801 for the zgrep problem,
CVE-2005-0758.

Actually, Fedora Legacy has issued two advisories for this issue.  This
CVE issue for zgrep is also an issue with bzgrep (in bzip2 packages),
since bzgrep comes from a common heritage as zgrep.  Software publishers
such as Red Hat and Fedora Legacy are fixing the bzgrep problem using the
same CVE number CVE-2005-0758 for both issues.

The two advisories that Fedora Legacy has issued for these issues are:

   1) FLSA:157696 (available at
<http://fedoralegacy.org/updates/FC1/2005-08-10-FLSA_2005_157696__Updated_gzip_package_fixes_security_issues.html>)
      which fixes the zgrep in the gzip package we offer.
      Advisory FLSA:157696 was issued on 2005-08-10.  It was published
      in BugTraq:
      <http://marc.theaimsgroup.com/?l=bugtraq&m=112379911421033&w=2>.

   2) The one you mention in your bulletin SB05-320, FLSA:158801 (at
<http://fedoralegacy.org/updates/FC1/2005-11-14-FLSA_2005_158801__Updated_bzip2_packages_fix_security_issues.html>).

I am noticing that the URL you post for FedoraLegacy in your Cyber
Security Bulletins is <http://download.fedoralegacy.org/>, which isn't
that helpful for people looking for our update advisories.  May I suggest 
instead using <http://fedoralegacy.org/updates/> if you wish to use a 
generic URL, or the URL of the actual Update Advisory underneath that URL?

Thanks for your attention to this matter.

	Regards,

	David Eisenstein
	Participant, Fedora Legacy Project