Date: Wed, 12 Apr 2006 10:18:08 +0100 From: Alex Zbyslaw <xfb52@dial.pipex.com> To: Ted Mittelstaedt <tedm@toybox.placo.com> Cc: freebsd-questions@freebsd.org Subject: Re: upcoming release 6.1: old version of some core components Message-ID: <443CC5D0.7020404@dial.pipex.com> In-Reply-To: <LOBBIFDAGNMAMLGJJCKNCEKBFDAA.tedm@toybox.placo.com> References: <LOBBIFDAGNMAMLGJJCKNCEKBFDAA.tedm@toybox.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ted Mittelstaedt wrote: >Alex, you would lose that bet, zlib 1.2.2 has a hole in it, it >should have been replaced with 1.2.3 See the zlib website >for more info. > >Nospam, good catch, if none of the hip-shooters here file a PR I'll >get around to it the next time I get a running build off the >cvs. > > Sorry, I remain unconvinced. Follow the bug links on the zlib home page and both contain "References" like this: > > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:16.zlib.asc > https://rhn.redhat.com/errata/RHSA-2005-569.html > http://secunia.com/advisories/15949/ So unless the fixes somehow were un-made for 6.1, zlib is not vulnerable, regardless of whether the version number is 1.2.2 or 1.2.3. If you or the OP still believe that there is a bug then talking to the security officer is surely the correct course of action. (I follow bugtraq and saw FreeBSD patch notices arrive soon after the zlib bugs were reported. It's true, I could have missed later zlib bugs, but that's hard to do since you always get a slew of Linux update notices for any common package like this one. So only shooting from the hip in an Billy-the-Kid-hit-anything-at-100-paces kind of way :-)) --Alex
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?443CC5D0.7020404>