Comment 1 Michael Palimaka (kensington) 2013-02-27 08:33:31 UTC

(In reply to comment #0)
> I am preparing a revision bump that fixes this.

Apparently this is necessary to reconstruct archives made with old versions, so I will hold off doing this for now.

Comment 2 Chris Reffett (RETIRED) 2013-07-07 15:36:34 UTC

I've added 0.4.5-r1 to tree, which doesn't include bundled bzip2. Since this does drop backwards compatibility, I'd suggest adding a PMASK for 0.4.5 with a warning about the vulnerability, drop 0.4.4, and be done with it. @sec team: does that sound okay? Alternatively, we can just drop 0.4.5 as well and bye bye backwards compatibility.

Comment 3 Chris Reffett (RETIRED) 2013-07-20 12:14:34 UTC

Removed 0.4.4 and PMASKed 0.4.5. Is it okay to close this one now, or does it stay open as long as there is a vulnerable version in the tree?

Comment 4 Pacho Ramos 2015-11-04 15:13:49 UTC

looks like no vulnerable versions are present in the tree for some time

Comment 5 Aaron Bauman (RETIRED) 2016-02-21 11:03:50 UTC

Two stable versions in tree 0.4.5-r1 and 0.4.6.  Per previous comments this vulnerability has been mitigated.

Comment 6 Aaron Bauman (RETIRED) 2016-03-01 05:55:55 UTC

No CVE present and issue has been mitigated.  Vulnerability existed in a different package.  GLSA Vote: No