#2240 Please tag new deltarpm

Created 8 years ago by toshio
Modified 9 months ago

There's a security vulnerability in deltarpm due to its bundling of zlib. New version of deltarpm built without the included zlib. Here's the bugzilla for the relevant zlib update:
https://bugzilla.redhat.com/show_bug.cgi?id=163038
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1849

Please tag for F12 release:

deltarpm-3.5-0.2.20090913git.fc12

http://koji.fedoraproject.org/koji/taskinfo?taskID=1720522

practically a no-brainer, but gotta ask, any testing of the new build?

No problems. I was putting this in so I don't forget while waiting for jdieter to be available. I don't have enough of an idea of what's involved here to test this fully.

jdieter, after the response from Michael Schroeder, I updated the package. Try this version out when you test, it should avoid some problems with the first build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=1721649

deltarpm-3.5-0.4.20090913git.fc12.src.rpm

I've tested makedeltarpm between Fedora rpms compressed with zlib and one zlib <=> xz package. Couldn't find a zlib_rsync package to test.

Tested applydeltarpm and applydeltarpm -r on those rpms successfully.

I've tested deltarpm-3.5-0.4.20090913git.fc12 and it works perfectly under yum-presto, which is obviously the main usage case. If Fedora isn't compressing it's gzip rpms using zlib_rsync, I'm not hugely worried about that usage case (obviously, we want it to either work or bail out nicely, but fixing the security hole is far more important).

As far as I have seen, I'm happy with tagging http://koji.fedoraproject.org/koji/taskinfo?taskID=1721649

9 months ago

Metadata Update from @toshio:
- Issue set to the milestone: Fedora 12 Beta

Login to comment on this ticket.

cancel