Red Hat Bugzilla – Bug 207643
CVE-2006-4334 Multiple vunabilities in gzip (CVE-2006-4335, CVE-2006-4336, CVE-2006-4337, CVE CVE-2006-4338)
Last modified: 2007-11-30 17:11:44 EST
Description of problem:
Google Security Team has dicovered multiple vunabilities in gzip 1.3.5. These
vunabilities are recorded as CVE-2006-4334, CVE-2006-4335, CVE-2006-4336,
Version-Release number of selected component (if applicable):
These vunabilities are already fixed for Red Hats commercial linux
distributions. Where is the updated package for fedora core??
fixed in gzip-1.3.5-8.
> fixed in gzip-1.3.5-8
gzip-1.3.5-8 is from rawhide and this update indeed showed up there
some time ago. But for FC5 gzip-1.3.5-7.1.fc5 sits for a number
of days already in "testing" and released packages do not seem to be
forthcoming. See bug 204676 for a description of attacks.
Ivana, it seems you forgot to push this one live, can you take care of it ASAP?
The update gzip-1.3.5-7.1.fc5 is pushed as final now.
gzip 1.3.5-7.1 was pushed 2006-10-02
gzip 1.3.5-7 was pushed 2006-10-10
Note that the 10/02 version is later than the 10/10 version.
Does 1.3.5-7.1 have the relevant fix?
Or does someone need to release a 1.3.5-7.2?
gzip-1.3.3 also has these vulnerabilities. FC3 is affected. see RHSA-2006-0667
I noticed that 1.3.5-7.fc5 and 1.3.5-7.1.fc5 where made available for download
in the opposite order of being build. So which one should I be using?
Intuitively the extra .1 sounds like a higher version number. But
lexicographically .1.fc5 is before .fc5, and neither have an epoch. Maybe I
misunderstood the algorithm for comparing version numbers, is it documented
The problem with update is fixed by 1.3.5-8.fc5
I don't see any gzip-1.3.5-8.fc5