On Thu, Apr 26, 2012 at 7:37 AM, Andreas Henriksson wrote: > Hello Michael! > > I'm really confused by different claims which completely lacks any > references or background information, so I have no way to figure out > what is true and not. > > On Tue, Apr 17, 2012 at 11:55:14PM -0400, Michael Gilbert wrote: >> A couple issues were reported in libarchive >= 3.0, and are likely >> fixed already, but there outside access to the bug reports are still >> restricted, so its impossible to know. Please check the info at the >> following google code restricted links or with upstream: >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4666 > > From what I can see the issue was reported against PRE-relases of 3.0, > so < 3.0 .... do you have any indication that they also affect >= 3.0 ?
I have no info either way, which is why these issues need to be checked against real information. That is behind restricted chrome bug reports, so you'll need to get access to those somehow. >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1779 > > This one is mentioned to affect 2.8.4 & 2.8.5 via TAR and ISO9660. > > http://security-tracker.debian.org/tracker/CVE-2011-1779 on the other > hand says that our 2.8.4 package apparently is not affected, while 3.0.4-1 is! > > The comment says "vulnerable code not present in 2.x series" which contradicts > the CVE report totally. I'd like to know where this information comes from! That is based on the statement toward the bottom of the redhat bug report, which may be right or wrong. Again, its something that needs to be checked against real information. Unfortunately all of it is behind those restricted chrome reports. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
