On Mon, 19 Nov 2001 12:16:30 EST, Chris Ess said: > > Current versions of gzip (1.3.x) are not vulnerable. > > I see nowhere on www.gzip.org mentioning a version 1.3.x. It only > mentions 1.2.4a > > Where would one go about finding the source for this? http://www.gzip.org for those of you who don't do rpmfind. However, that seems to still be 1.2.4a. 'gzip 1.3' seems to be a RedHat creation, based on the output of 'rpm -q --changelog gzip': * Mon Mar 20 2000 Bernhard Rosenkraenzer <beroat_private> - 1.3 - handle RPM_OPT_FLAGS * Tue Feb 15 2000 Cristian Gafton <gaftonat_private> - handle compressed man pages even better * Tue Feb 08 2000 Cristian Gafton <gaftonat_private> - adopt patch from Paul Eggert to fix detection of the improper tables in inflate.c(huft_build) - the latest released version 1.2.4a, which provides documentation updates only. But it lets us use small revision numbers again - add an dirinfo entry for gzip.info so we can get rid of the ugly --entry args to install-info I've opened Bug 56489 with bugzilla.redhat.com to address the fact that they seem to have forked 1.3 but are still pointing at www.gzip.org. The latest SRPM seems to be available at: ftp://ftp.redhat.com/pub/redhat/linux/rawhide/SRPMS/SRPMS/gzip-1.3.1-1.src.rpm -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
This archive was generated by hypermail 2b30 : Mon Nov 19 2001 - 14:28:16 PST