Description of problem: Google Security Team has dicovered multiple vunabilities in gzip 1.3.5. These vunabilities are recorded as CVE-2006-4334, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337, CVE-2006-4338. Version-Release number of selected component (if applicable): 1.3.5 Additional info: These vunabilities are already fixed for Red Hats commercial linux distributions. Where is the updated package for fedora core??
fixed in gzip-1.3.5-8.
> fixed in gzip-1.3.5-8 gzip-1.3.5-8 is from rawhide and this update indeed showed up there some time ago. But for FC5 gzip-1.3.5-7.1.fc5 sits for a number of days already in "testing" and released packages do not seem to be forthcoming. See bug 204676 for a description of attacks.
Ivana, it seems you forgot to push this one live, can you take care of it ASAP?
The update gzip-1.3.5-7.1.fc5 is pushed as final now.
gzip 1.3.5-7.1 was pushed 2006-10-02 gzip 1.3.5-7 was pushed 2006-10-10 Note that the 10/02 version is later than the 10/10 version. Does 1.3.5-7.1 have the relevant fix? Or does someone need to release a 1.3.5-7.2?
gzip-1.3.3 also has these vulnerabilities. FC3 is affected. see RHSA-2006-0667
I noticed that 1.3.5-7.fc5 and 1.3.5-7.1.fc5 where made available for download in the opposite order of being build. So which one should I be using? Intuitively the extra .1 sounds like a higher version number. But lexicographically .1.fc5 is before .fc5, and neither have an epoch. Maybe I misunderstood the algorithm for comparing version numbers, is it documented anywhere?
The problem with update is fixed by 1.3.5-8.fc5
I don't see any gzip-1.3.5-8.fc5