Skip to content

DLPX-97858 Ubuntu Security Notification for Gzip Vulnerabilities (USN-8512-1)#400

Open
prakashsurya wants to merge 1 commit into
releasefrom
projects/cve-gzip-usn-8512-1
Open

DLPX-97858 Ubuntu Security Notification for Gzip Vulnerabilities (USN-8512-1)#400
prakashsurya wants to merge 1 commit into
releasefrom
projects/cve-gzip-usn-8512-1

Conversation

@prakashsurya

@prakashsurya prakashsurya commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Backports the Ubuntu USN-8512-1 gzip security update (1.12-1ubuntu3.2) to the release-track appliance via the misc-debs extension point. The release build (2026.4.0.0) installs 1.12-1ubuntu3.1, which is still vulnerable.

Remediates:

Changes:

  • packages/misc-debs/config.sh: one sha256-pinned debs=() entry under a comment block naming the USN, Jira ticket, CVE, and the Ubuntu archive source.
  • .deb uploaded to http://artifactory.delphix.com/artifactory/linux-pkg/misc-debs/:
    • gzip_1.12-1ubuntu3.2_amd64.deb

Fetched from the Ubuntu 24.04 LTS (noble) noble-security/noble-updates archive.

Test plan

  • PR check passes (make shellcheck + make shfmtcheck — both clean locally on this branch).
  • misc-debs Jenkins pre-push job resolves the artifactory URL with matching sha256.
  • git-ab-pre-push builds an appliance image with 1.12-1ubuntu3.2 replacing 3.1; pre-checkin regression passes.
  • On a VM from the resulting image: dpkg-query -W gzip reports 1.12-1ubuntu3.2; gzip/gunzip round-trip works.

🤖 Generated with Claude Code

Testing Done

ab-pre-push build #14507: IN PROGRESS

Pin the fixed Ubuntu USN-8512-1 gzip binary (1.12-1ubuntu3.2) into the release appliance via misc-debs. Remediates CVE-2026-41992 (DLPX-97858). The release build ships 1.12-1ubuntu3.1.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@prakashsurya prakashsurya enabled auto-merge (squash) July 9, 2026 23:59

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Backports the Ubuntu USN-8512-1 gzip security update into the release-track appliance by pinning a fixed .deb via the misc-debs meta-package, addressing CVE-2026-41992 (DLPX-97858).

Changes:

  • Add a sha256-pinned gzip_1.12-1ubuntu3.2_amd64.deb entry to packages/misc-debs/config.sh with contextual USN/CVE metadata.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/misc-debs/config.sh

@dbjwhs-perforce dbjwhs-perforce left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

4 participants