Skip to content

DLPX-97858 Ubuntu Security Notification for Gzip Vulnerabilities (USN-8512-1)#400

Open
prakashsurya wants to merge 1 commit into
releasefrom
projects/cve-gzip-usn-8512-1
Open

DLPX-97858 Ubuntu Security Notification for Gzip Vulnerabilities (USN-8512-1)#400
prakashsurya wants to merge 1 commit into
releasefrom
projects/cve-gzip-usn-8512-1

Conversation

@prakashsurya

@prakashsurya prakashsurya commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Backports the Ubuntu USN-8512-1 gzip security update (1.12-1ubuntu3.2) to the release-track appliance via the misc-debs extension point. The release build (2026.4.0.0) installs 1.12-1ubuntu3.1, which is still vulnerable.

Remediates:

Changes:

  • packages/misc-debs/config.sh: one sha256-pinned debs=() entry under a comment block naming the USN, Jira ticket, CVE, and the Ubuntu archive source.
  • .deb uploaded to http://artifactory.delphix.com/artifactory/linux-pkg/misc-debs/:
    • gzip_1.12-1ubuntu3.2_amd64.deb

Fetched from the Ubuntu 24.04 LTS (noble) noble-security/noble-updates archive.

Test plan

  • PR check passes (make shellcheck + make shfmtcheck — both clean locally on this branch).
  • misc-debs Jenkins pre-push job resolves the artifactory URL with matching sha256.
  • git-ab-pre-push builds an appliance image with 1.12-1ubuntu3.2 replacing 3.1; pre-checkin regression passes.
  • On a VM from the resulting image: dpkg-query -W gzip reports 1.12-1ubuntu3.2; gzip/gunzip round-trip works.

🤖 Generated with Claude Code

Testing Done

ab-pre-push build #14507: IN PROGRESS

Pin the fixed Ubuntu USN-8512-1 gzip binary (1.12-1ubuntu3.2) into the release appliance via misc-debs. Remediates CVE-2026-41992 (DLPX-97858). The release build ships 1.12-1ubuntu3.1.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@prakashsurya prakashsurya enabled auto-merge (squash) July 9, 2026 23:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant