I do not meaning to bug the maintainer, request an update, or imply that the maintainer is not paying attention to the canonical site, but in case the maintainer just hasn't noticed ...
<http://www.info-zip.org/>: - "Zip 2.32 was released on 20 June 2006." <http://www.info-zip.org/Zip.html>: "All known vulnerabilities are fixed in Zip 2.32." "Zip 2.3 and (presumably) all previous versions have a buffer-overrun vulnerability relating to deep directory paths that could potentially lead to local privilege escalation ..." - "UnZip 5.52 was released on 27 February 2005." <http://www.info-zip.org/UnZip.html>: "All versions of UnZip through 5.50 have a number of directory-traversal vulnerabilities ..." /c> cygcheck -c zip; ls -og /bin/zip.exe Cygwin Package Information Package Version Status zip 2.3-6 OK -rwxrwxrwx 1 63488 2004-02-26 20:37:16 /bin/zip.exe /c> cygcheck -c unzip; ls -og /bin/unzip.exe Cygwin Package Information Package Version Status unzip 5.50-5 OK -rwxrwxrwx 1 108544 2003-08-09 03:32:53 /bin/unzip.exe Again, I do not mean to bug the maintainer and appreciate all the work that s/he has done maintaining the zip and unzip packages. - Barry - Disclaimer: Statements made herein are not made on behalf of NIAID. - If you believe you received this e-mail in error, you are probably sadly mistaken, but if not, aren't you lucky? - Sending this e-mail does not constitute endorsement of the contents; I may change my mind later. - This e-mail may have been sent in haste; if any of its contents are offensive, inappropriate, inaccurate, ungrammatical, misspelled, or incomplete, too bad. - Ideas in this e-mail are bigger than they appear and the writer may be smarter than he appears.
