Notices where this attachment appears
-
Embed this notice
mjw (mjw@mastodon.nl)'s status on Saturday, 09-Nov-2024 19:26:25 JST 
mjw
There is this 5 year old CVE against bzip2 which turned out to be bogus. The long story: https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/
But probably because NVD gave this a 9.8 critical score (!) some enterprise distros are "fixing" this CVE now by "backporting" a broken fix to bzip2 1.0.6 instead of upgrading to a release with a proper fix (bzip2 1.0.8)...
https://gitlab.com/redhat/centos-stream/rpms/bzip2/-/commit/f9ed8e44ad56a1dd655d33dff7ad2344c71e91cf
So now at least rhel-8, alma-8 and ol8 are shipping with a broken bzip2. Sigh.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.