Actually I sent them a service ticket about
updating bzip2 to version 1.0.5. Below is what I
got recently from RedHat support:
---------------------------------------
| Case Information |
---------------------------------------
Case Title : bzip2 should be updated to version 1.0.5
Case Number : 1855016
Case Open Date : 02-SEP-2008
Problem Type :
Last Update Comment as of 05-SEP-2008 05:19:14 :Ê
Greetings,
Thanks for the update.
I have forwarded your queries to our Security Alert team.
I shall get back to once i have an update.
Best regards
Shailendra
---------------------------------------
Thank you for your latest interaction with Red
Hat Support. If you wish to reach Red Hat, please
go to http://support.redhat.com/ for phone and
web contact information appropriate to your
region and support contract.
Red Hat Global Support Services is working a case
associated to this email address as the primary
point of contact. For tracking purposes, the case
has been assigned a number of "1855016" and has
the title "bzip2 should be updated to version
1.0.5". More information related to this specific
case is attached to this message. If any of this
is in error, please notify us immediately by
calling our support line at the number specific
to your region see
https://www.redhat.com/support/service/GSS_phone.html
The purpose of this email is to notify you that a
Red Hat associate is presently working on this
case and has updated the case with the following
information.You may continue to follow the
progress and read any notes logged to the case at
http://support.redhat.com.
If you update the case via the web portal (such
as adding a note or adding an attachment), the
case status will stay in the "Waiting on Red Hat"
status, or you may change it to "Closed". If left
in "Waiting on Red Hat", the case will stay in
this status while it is worked until changed by
Red Hat to "Waiting on Customer", If more
information is needed from you, or "Pending
Closure" or "Closed" depending on the situation.
Note: Please do not reply to this email. If you
wish to reach Red Hat, please go to
http://support.redhat.com for phone and web
contact information appropriate to your region
and support contract.
Thank you so much and have a great day.
Frank
Red Hat Global Support Services
SM wrote:
At 01:11 05-09-2008, Tilman Schmidt wrote:
ÊÊ
But even a manual "yum update" finds nothing to update. I cannot
imagine Redhat/CentOS neglecting to provide a patch for that
ÊÊÊÊ
Why not? :-)
The response was that "this issue can only result in a crash of the
bunzip2 process, which we do not consider to have any security impact."
ÊÊ
vulnerability, so I am probably doing something wrong. But what?
ÊÊÊÊ
You are not doing anything wrong. Get a newer version of bzip2.
Regards,
-sm
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
ÊÊ
More info can be found here:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1372
https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html
redhat didn't patch it. Their latest version appears to be from 2005 -
per the date on the file.
--
Roberto Ullfig - [EMAIL PROTECTED]
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
