$ qlist deltup | grep bzip /usr/bin/bzip2_1.0.3 /usr/bin/bzip2_1.0.2 I am preparing a revision bump that fixes this.
(In reply to comment #0) > I am preparing a revision bump that fixes this. Apparently this is necessary to reconstruct archives made with old versions, so I will hold off doing this for now.
I've added 0.4.5-r1 to tree, which doesn't include bundled bzip2. Since this does drop backwards compatibility, I'd suggest adding a PMASK for 0.4.5 with a warning about the vulnerability, drop 0.4.4, and be done with it. @sec team: does that sound okay? Alternatively, we can just drop 0.4.5 as well and bye bye backwards compatibility.
Removed 0.4.4 and PMASKed 0.4.5. Is it okay to close this one now, or does it stay open as long as there is a vulnerable version in the tree?
looks like no vulnerable versions are present in the tree for some time
Two stable versions in tree 0.4.5-r1 and 0.4.6. Per previous comments this vulnerability has been mitigated.
No CVE present and issue has been mitigated. Vulnerability existed in a different package. GLSA Vote: No