bzip2 1.0.6

Posted on

The following springs from an attempt to manually compile R-3.4.1 on RHEL6
and its objecting to the use of bzip2 1.0.5 which is what RHEL6 uses.

Just want to note that, as far as I can see, bzip2 1.0.6 is a a bug fix update
for vuln CVE-2010-0405, which RHEL patched into version 1.0.5-7.

So RHEL6 will report 1.0.5 despite incorporating the bugfix. Now, version 1.0.6 dates from Sept 2010 so it's fair for a R to want 1.0.6 specifically, but despite having it fixed, RHEL will report bzip2 version 1.0.5 so R won't compile.

Of course it's understandable, most software moving up a version would include more than bugfix, but it seems bzip2 is that way.

Also amazing and alarming is how much depends on bzip2 too. I suppose that's why the version couldn't been brought from 1.0.5 to 1.0.6 ... to many thing would cough if that happened.

Ramon Fallon's picture

Responses