Updated: mingw-bzip2-1.0.3-1, mingw-libbz2_1-1.0.3-1

[Charles Wilson]

The mingw-bzip2 package has been updated to version 1.0.3-1. 
mingw-bzip2 provides the static library, DLL import library, and header 
files for building non-cygwin applications (like setup.exe) which need 
access to bzip2 compression algorithms.  mingw-libbz2_1 provides the 
corresponding DLL.

These libraries are built using the standard windows runtime library and 
NOT cygwin; it is used by setup.exe among other tools.  No executables 
(like bzip2.exe) are provided by these packages.  Use the cygwin 
versions instead, or go to the bzip2 homepage at http://www.bzip2.org/ 
for native windows executables.

CHANGES:

Routine update to upstream version 1.0.3

Addresses security issue CAN-2005-1260 "bzip2 allows remote attackers to 
cause a denial of service (hard drive consumption) via a crafted bzip2 
file that causes an infinite loop (a.k.a "decompression bomb")."

Addresses security issue CAN-2005-0953 "Race condition in bzip2 1.0.2 
and earlier allows local users to modify permissions of arbitrary files 
via a hard link attack on a file while it is being decompressed, whose 
permissions are changed by bzip2 after the decompression is complete."


-- 
Chuck


To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your
system.  Then, run setup and answer all of the questions.

               *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

cygwin-announce-unsubscribe-you=yourdomain.com@cygwin.com

If you need more information on unsubscribing, start reading here:

http://sources.redhat.com/lists.html#unsubscribe-simple

Please read *all* of the information on unsubscribing that is available
starting at the above URL.