Bug 71760
Summary: | m4 uses unofficial release | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Han-Wen Nienhuys <hanwen> |
Component: | m4 | Assignee: | Miloslav Trmač <mitr> |
Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 7.3 | CC: | mgarski |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 1.4.2-1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-12-12 19:22:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Han-Wen Nienhuys
2002-08-18 10:57:24 UTC
I have looked at 1.4, the version shipped by Red Hat and the newest alpha versions that have been released in january of 2000. The current version in Red Hat is pretty close to the last release of m4-1.4 and has had good testing during the last several releases of Red Hat Linux. Maybe we should downgrade this back to the 1.4 release. Thanks, Florian La Roche Fedora Core 1, 2, 3 and devel also contains unofficial m4 release. Currently lastest m4 release is 1.4.2, maybe it's good time (after release freze) to update it in FC? URL in spec file could be changed to: http://www.gnu.org/software/m4/ m4 in Fedora devel tree contain only part of security patches. Bellow patches aren't included: * doc/m4.texinfo (Maketemp): Change maketemp to refer to a new, empty file rather than to a nonexistent file. This closes a common security hole. * src/builtin.c (m4_maketemp): Implement the above, by using mkstemp rather than mktemp. (trivial change) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=84416 They are fixed in 1.4.2. m4-1.4.2-1 shoud appear in rawhide soon. The maketemp changes are a change of behavior that should not affect security of properly written programs (FWIW, POSIX requires yet another, even more insecure behavior). Thanks for the heads-up. |