Hello Michael! I'm really confused by different claims which completely lacks any references or background information, so I have no way to figure out what is true and not.
On Tue, Apr 17, 2012 at 11:55:14PM -0400, Michael Gilbert wrote: > A couple issues were reported in libarchive >= 3.0, and are likely > fixed already, but there outside access to the bug reports are still > restricted, so its impossible to know. Please check the info at the > following google code restricted links or with upstream: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4666 >From what I can see the issue was reported against PRE-relases of 3.0, so < 3.0 .... do you have any indication that they also affect >= 3.0 ? > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1779 This one is mentioned to affect 2.8.4 & 2.8.5 via TAR and ISO9660. http://security-tracker.debian.org/tracker/CVE-2011-1779 on the other hand says that our 2.8.4 package apparently is not affected, while 3.0.4-1 is! The comment says "vulnerable code not present in 2.x series" which contradicts the CVE report totally. I'd like to know where this information comes from! Who should I beleive here when I have no information to support either story?! > > More info can be found in the redhat bug report: > https://bugzilla.redhat.com/show_bug.cgi?id=705849 -- Andreas Henriksson -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
