gzip security update

jdow jdow at earthlink.net
Wed Oct 11 10:05:32 UTC 2006 

From: "Ed Greshko" <Ed.Greshko at greshko.com>

> jdow wrote:
>> Does anybody other than me think it is a little peculiar that there
>> was a listed update for gzip today that has an earlier version number
>> than the one from the second?
>>
>> gzip-1.3.5-7.1.fc5.i386.rpm    October 2
>> gzip-1.3.5-7.fc5.i386.rpm      October 10
>>
>> Did somebody screw up the version numbering?
>
> Well, I've not updated my FC5 system recently.  So, I went to update it
> today.  I had gzip-1.3.5-6.2.1 installed and it is being updated to
> gzip-1.3.5-7.1.fc5.  So, I'm not sure what you are seeing or why.

I received this today. Please note the version of gzip it calls out.
The October2 patch was declared with a higher version than this security
patch. This raises questions about somebody possibly bolixing up the
version number on a patch we should have. (The files are VASTLY different
sizes.)

{^_^}
===8<---
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2006-989
2006-10-10
---------------------------------------------------------------------

Product     : Fedora Core 5
Name        : gzip
Version     : 1.3.5
Release     : 7.fc5
Summary     : The GNU data compression program.
Description :
The gzip package contains the popular GNU gzip data compression
program. Gzipped files have a .gz extension.

Gzip should be installed on your Red Hat Linux system, because it is a
very commonly used data compression program.

---------------------------------------------------------------------

* Wed Sep 20 2006 Ivana Varekova <varekova at redhat.com> 1.3.5-7.fc5
- fix bug 204676 (patches by Tavis Ormandy)
  - cve-2006-4334 - null dereference problem
  - cve-2006-4335 - buffer overflow problem
  - cve-2006-4336 - buffer underflow problem
  - cve-2006-4338 - infinite loop problem
  - cve-2006-4337 - buffer overflow problem

---------------------------------------------------------------------
This update can be downloaded from:
    http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/

058b352c889d357d2f369d8358643b16820c5e22  SRPMS/gzip-1.3.5-7.fc5.src.rpm
058b352c889d357d2f369d8358643b16820c5e22  noarch/gzip-1.3.5-7.fc5.src.rpm
a9679679039bf6a7646dc18ab267b87a905aee4d  ppc/debug/gzip-debuginfo-1.3.5-7.fc5.ppc.rpm
e9199ea8e46e2e3ead27eae3a1159f4fb47c8d1a  ppc/gzip-1.3.5-7.fc5.ppc.rpm
cc837290ccd3b1427d0121cc668fdf4e282e39f3 
x86_64/debug/gzip-debuginfo-1.3.5-7.fc5.x86_64.rpm
d7a7b184f5b98b58ea680fe49414b5b4f88b4ac4  x86_64/gzip-1.3.5-7.fc5.x86_64.rpm
a9450c087c726cb7dba45c97a2507706057a3d84  i386/debug/gzip-debuginfo-1.3.5-7.fc5.i386.rpm
7c1a6092d74f53916a9046c118a25b386993212e  i386/gzip-1.3.5-7.fc5.i386.rpm

This update can be installed with the 'yum' update program.  Use 'yum update
package-name' at the command line.  For more information, refer to 'Managing
Software with yum,' available at http://fedora.redhat.com/docs/yum/.
---------------------------------------------------------------------

_______________________________________________
Fedora-package-announce mailing list
Fedora-package-announce at redhat.com
http://www.redhat.com/mailman/listinfo/fedora-package-announce
===8<---

More information about the fedora-list mailing list