| 1 |
OK, the following was in the GLSA |
| 2 |
|
| 3 |
------------------------------------------------------------------- |
| 4 |
Package / Vulnerable / Unaffected |
| 5 |
------------------------------------------------------------------- |
| 6 |
1 emul-linux-x86-baselibs < 2.2 >= 2.2 |
| 7 |
------------------------------------------------------------------- |
| 8 |
# Package 1 only applies to AMD64 users. |
| 9 |
|
| 10 |
I upgraded to 2.2.2 yesterday. Now, it wants to downgrade to 2.1.2, which |
| 11 |
the above says will still be vulnerable. |
| 12 |
|
| 13 |
Looking at the changelog, it appears 2.2.x had quite a number of bugs. |
| 14 |
There's a statement in there that /appears/ to suggest that the fixes for |
| 15 |
the zlib security issue were backported to the new 2.1.2, but we don't |
| 16 |
have an updated GLSA officially confirming that. As this is a security |
| 17 |
issue, I'm sure folks can understand why I'm a bit leery of trusting a |
| 18 |
changelog entry that's contradicting an official GLSA. |
| 19 |
|
| 20 |
Is the 2.1.2 legit and fixed, or is somebody trying to man-in-the-middle |
| 21 |
things? Assuming it's legit, would it be possible to have a duly and |
| 22 |
officially signed GLSA update to that effect? |
| 23 |
|
| 24 |
In the admittedly unlikely event that it's /not/ legit, then we have a |
| 25 |
/very/ serious man-in-the-middle cracking attempt going on! |
| 26 |
|
| 27 |
-- |
| 28 |
Duncan - List replies preferred. No HTML msgs. |
| 29 |
"Every nonfree program has a lord, a master -- |
| 30 |
and if you use the program, he is your master." Richard Stallman in |
| 31 |
http://www.linuxdevcenter.com/pub/a/linux/2004/12/22/rms_interview.html |
| 32 |
|
| 33 |
|
| 34 |
-- |
| 35 |
gentoo-amd64@g.o mailing list |
Archives