Package : gzip Vulnerability : insecure temporary files Problem-Type : local Debian-specific: no CVE Ids : CVE-1999-1332, CAN-2003-0367
Paul Szabo discovered that znew, a script included in the gzip package, creates its temporary files without taking precautions to avoid a symlink attack (CAN-2003-0367).
The gzexe script has a similar vulnerability which was patched in an earlier release but inadvertently reverted.
For the stable distribution (woody) both problems have been fixed in version 1.3.2-3woody1.
For the old stable distribution (potato) CAN-2003-0367 has been fixed in version 1.2.4-33.2. This version is not vulnerable to CVE-1999-1332 due to an earlier patch.
For the unstable distribution (sid) this problem will be fixed soon.
We recommend that you update your gzip package.
Upgrade Instructions --------------------
wget url will fetch the file for you dpkg -i file.deb will install the referenced file.
If you are using the apt-get package manager, use the line for sources.list as given below:
apt-get update will update the internal database apt-get upgrade will install corrected packages
You may use an automated update by adding the resources from the footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody --------------------------------