Re: New bugs discovered!

["Alex Butcher (vuln-dev)" <vulndev () cocoa demon co uk>]

On Sun, 18 Nov 2001, Nate Amsden wrote:

> > [ Executive summary: this is a problem that appears to be specific
> > to  Linux distributions using obsolete versions of gzip, including
> > Slackware  7.1 and 8.0. Other problems *may* lurk in gzip, other
> > distros and  therefore packages (including FTP servers) which make
> > use of gzip. ]
>
> same here .. but gzip 1.2.4 :

[snip]

> same results on debian 2.2r3(potato)
>
> so not all "obsolete" versions of gzip are affected..

Yeah, Debian, like Red Hat (probably others too) frequently include 
patches culled from mailing lists, their own code audits and so on, 
meaning the version isn't a completely reliable guide to determining the 
vulnerability or not of a given instance. This issue has arisen in the 
past; perhaps it's time that the folks at Debian and Red Hat started 
indicating more clearly that they've patched with their version numbers 
(add an 's' suffix for security issues, 'b' for bugfixes, 'f' for 
functionality, 'c' for compilation issues...)

> nate

Best Regards,
Alex.
-- 
Alex Butcher         Brainbench MVP for Internet Security: www.brainbench.com
Berkshire, UK      Is *your* company hiring UNIX/Security/Pen. testing folks?
PGP/GnuPG ID:0x271fd950                      http://www.cocoa.demon.co.uk/cv/