1 |
On Mon, 2005-08-01 at 07:12 -0700, Duncan wrote: |
2 |
> OK, the following was in the GLSA |
3 |
> |
4 |
> ------------------------------------------------------------------- |
5 |
> Package / Vulnerable / Unaffected |
6 |
> ------------------------------------------------------------------- |
7 |
> 1 emul-linux-x86-baselibs < 2.2 >= 2.2 |
8 |
> ------------------------------------------------------------------- |
9 |
> # Package 1 only applies to AMD64 users. |
10 |
> |
11 |
> I upgraded to 2.2.2 yesterday. Now, it wants to downgrade to 2.1.2, which |
12 |
> the above says will still be vulnerable. |
13 |
> |
14 |
> Looking at the changelog, it appears 2.2.x had quite a number of bugs. |
15 |
> There's a statement in there that /appears/ to suggest that the fixes for |
16 |
> the zlib security issue were backported to the new 2.1.2, but we don't |
17 |
> have an updated GLSA officially confirming that. As this is a security |
18 |
> issue, I'm sure folks can understand why I'm a bit leery of trusting a |
19 |
> changelog entry that's contradicting an official GLSA. |
20 |
> |
21 |
> Is the 2.1.2 legit and fixed, or is somebody trying to man-in-the-middle |
22 |
> things? Assuming it's legit, would it be possible to have a duly and |
23 |
> officially signed GLSA update to that effect? |
24 |
> |
25 |
> In the admittedly unlikely event that it's /not/ legit, then we have a |
26 |
> /very/ serious man-in-the-middle cracking attempt going on! |
27 |
> |
28 |
> -- |
29 |
> Duncan - List replies preferred. No HTML msgs. |
30 |
> "Every nonfree program has a lord, a master -- |
31 |
> and if you use the program, he is your master." Richard Stallman in |
32 |
> http://www.linuxdevcenter.com/pub/a/linux/2004/12/22/rms_interview.html |
33 |
> |
34 |
> |
35 |
|
36 |
2.2.* was a repackage of all the libs, and it was missing a few of them. |
37 |
2.1.2 is the same libs as 2.1, but with updated zlib to fix the security |
38 |
bugs. |
39 |
|
40 |
Allan |
41 |
|
42 |
-- |
43 |
gentoo-amd64@g.o mailing list |