Just wanted to let you all know I sent this out to US-CERT, for when they publish updates including notice of our security fixes. -David ---------- Forwarded message ---------- From: David Eisenstein <deisenst@xxxxxxx> To: soc@xxxxxxxxxxx Date: Tue, 22 Nov 2005 01:57:15 -0600 (CST) Subject: Correction, regarding Cyber Security Bulletin SB05-320 Hi, According to <http://www.us-cert.gov/cas/bulletins/SB05-320.html#zgrep>, Fedora Legacy issued an advisory FLSA:158801 for the zgrep problem, CVE-2005-0758. Actually, Fedora Legacy has issued two advisories for this issue. This CVE issue for zgrep is also an issue with bzgrep (in bzip2 packages), since bzgrep comes from a common heritage as zgrep. Software publishers such as Red Hat and Fedora Legacy are fixing the bzgrep problem using the same CVE number CVE-2005-0758 for both issues. The two advisories that Fedora Legacy has issued for these issues are: 1) FLSA:157696 (available at <http://fedoralegacy.org/updates/FC1/2005-08-10-FLSA_2005_157696__Updated_gzip_package_fixes_security_issues.html>) which fixes the zgrep in the gzip package we offer. Advisory FLSA:157696 was issued on 2005-08-10. It was published in BugTraq: <http://marc.theaimsgroup.com/?l=bugtraq&m=112379911421033&w=2>. 2) The one you mention in your bulletin SB05-320, FLSA:158801 (at <http://fedoralegacy.org/updates/FC1/2005-11-14-FLSA_2005_158801__Updated_bzip2_packages_fix_security_issues.html>). I am noticing that the URL you post for FedoraLegacy in your Cyber Security Bulletins is <http://download.fedoralegacy.org/>, which isn't that helpful for people looking for our update advisories. May I suggest instead using <http://fedoralegacy.org/updates/> if you wish to use a generic URL, or the URL of the actual Update Advisory underneath that URL? Thanks for your attention to this matter. Regards, David Eisenstein Participant, Fedora Legacy Project -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
