On Sun, 18 Nov 2001, Nate Amsden wrote: > > [ Executive summary: this is a problem that appears to be specific > > to Linux distributions using obsolete versions of gzip, including > > Slackware 7.1 and 8.0. Other problems *may* lurk in gzip, other > > distros and therefore packages (including FTP servers) which make > > use of gzip. ] > > same here .. but gzip 1.2.4 : [snip] > same results on debian 2.2r3(potato) > > so not all "obsolete" versions of gzip are affected.. Yeah, Debian, like Red Hat (probably others too) frequently include patches culled from mailing lists, their own code audits and so on, meaning the version isn't a completely reliable guide to determining the vulnerability or not of a given instance. This issue has arisen in the past; perhaps it's time that the folks at Debian and Red Hat started indicating more clearly that they've patched with their version numbers (add an 's' suffix for security issues, 'b' for bugfixes, 'f' for functionality, 'c' for compilation issues...) > nate Best Regards, Alex. -- Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com Berkshire, UK Is *your* company hiring UNIX/Security/Pen. testing folks? PGP/GnuPG ID:0x271fd950 http://www.cocoa.demon.co.uk/cv/
This archive was generated by hypermail 2b30 : Mon Nov 19 2001 - 10:26:23 PST