FYI: un/zip update available

Buchbinder, Barry (NIH/NIAID) [E]
Tue Aug 29 02:29:00 GMT 2006

I do not meaning to bug the maintainer, request an update, or imply that
the maintainer is not paying attention to the canonical site, but in
case the maintainer just hasn't noticed ...

	- "Zip 2.32 was released on 20 June 2006."
<>:  "All known vulnerabilities are
fixed in Zip 2.32."  "Zip 2.3 and (presumably) all previous versions
have a buffer-overrun vulnerability relating to deep directory paths
that could potentially lead to local privilege escalation ..."
	- "UnZip 5.52 was released on 27 February 2005."
<>:  "All versions of UnZip through
5.50 have a number of directory-traversal vulnerabilities ..."

  /c> cygcheck -c zip; ls -og /bin/zip.exe
  Cygwin Package Information
  Package              Version        Status
  zip                  2.3-6          OK
  -rwxrwxrwx 1 63488 2004-02-26 20:37:16 /bin/zip.exe
  /c> cygcheck -c unzip; ls -og /bin/unzip.exe
  Cygwin Package Information
  Package              Version        Status
  unzip                5.50-5         OK
  -rwxrwxrwx 1 108544 2003-08-09 03:32:53 /bin/unzip.exe

Again, I do not mean to bug the maintainer and appreciate all the work
that s/he has done maintaining the zip and unzip packages.

- Barry
     -  Disclaimer:  Statements made herein are not made on behalf of
     -  If you believe you received this e-mail in error, you are
probably sadly mistaken, but if not, aren't you lucky?
     -  Sending this e-mail does not constitute endorsement of the
contents; I may change my mind later.
     -  This e-mail may have been sent in haste; if any of its contents
are offensive, inappropriate, inaccurate, ungrammatical, misspelled, or
incomplete, too bad.
     -  Ideas in this e-mail are bigger than they appear and the writer
may be smarter than he appears.

More information about the Cygwin-apps mailing list