Ticket #2240 (closed task: fixed)

Opened 7 years ago

Last modified 7 years ago

Please tag new deltarpm

Reported by: toshio Owned by: rel-eng@…
Milestone: Fedora 12 Beta Component: koji
Keywords: Cc: jdieter
Blocked By: Blocking:


There's a security vulnerability in deltarpm due to its bundling of zlib. New version of deltarpm built without the included zlib. Here's the bugzilla for the relevant zlib update:

https://bugzilla.redhat.com/show_bug.cgi?id=163038 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1849

Please tag for F12 release:



Change History

comment:1 Changed 7 years ago by rdieter

  • Milestone set to Fedora 12 Beta

practically a no-brainer, but gotta ask, any testing of the new build?

comment:2 Changed 7 years ago by toshio

No problems. I was putting this in so I don't forget while waiting for jdieter to be available. I don't have enough of an idea of what's involved here to test this fully.

comment:3 Changed 7 years ago by toshio

jdieter, after the response from Michael Schroeder, I updated the package. Try this version out when you test, it should avoid some problems with the first build:



I've tested makedeltarpm between Fedora rpms compressed with zlib and one zlib <=> xz package. Couldn't find a zlib_rsync package to test.

Tested applydeltarpm and applydeltarpm -r on those rpms successfully.

comment:4 Changed 7 years ago by jdieter

I've tested deltarpm-3.5-0.4.20090913git.fc12 and it works perfectly under yum-presto, which is obviously the main usage case. If Fedora isn't compressing it's gzip rpms using zlib_rsync, I'm not hugely worried about that usage case (obviously, we want it to either work or bail out nicely, but fixing the security hole is far more important).

As far as I have seen, I'm happy with tagging http://koji.fedoraproject.org/koji/taskinfo?taskID=1721649

comment:5 Changed 7 years ago by notting

  • Status changed from new to closed
  • Resolution set to fixed


Note: See TracTickets for help on using tickets.