From owner-freebsd-questions@FreeBSD.ORG  Wed Apr 12 09:18:25 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CCE6516A40A
	for <freebsd-questions@freebsd.org>;
	Wed, 12 Apr 2006 09:18:25 +0000 (UTC)
	(envelope-from xfb52@dial.pipex.com)
Received: from smtp-out3.blueyonder.co.uk (smtp-out3.blueyonder.co.uk
	[195.188.213.6])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7921443D68
	for <freebsd-questions@freebsd.org>;
	Wed, 12 Apr 2006 09:18:21 +0000 (GMT)
	(envelope-from xfb52@dial.pipex.com)
Received: from [172.23.170.140] (helo=anti-virus02-07)
	by smtp-out3.blueyonder.co.uk with smtp (Exim 4.52)
	id 1FTbUH-000842-UL; Wed, 12 Apr 2006 10:18:09 +0100
Received: from [80.192.25.195] (helo=[192.168.0.2])
	by asmtp-out3.blueyonder.co.uk with esmtp (Exim 4.52)
	id 1FTbUG-0003CK-UQ; Wed, 12 Apr 2006 10:18:09 +0100
Message-ID: <443CC5D0.7020404@dial.pipex.com>
Date: Wed, 12 Apr 2006 10:18:08 +0100
From: Alex Zbyslaw <xfb52@dial.pipex.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-GB; rv:1.7.12) Gecko/20060305
X-Accept-Language: en
MIME-Version: 1.0
To: Ted Mittelstaedt <tedm@toybox.placo.com>
References: <LOBBIFDAGNMAMLGJJCKNCEKBFDAA.tedm@toybox.placo.com>
In-Reply-To: <LOBBIFDAGNMAMLGJJCKNCEKBFDAA.tedm@toybox.placo.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: upcoming release 6.1: old version of some core components
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Apr 2006 09:18:25 -0000

Ted Mittelstaedt wrote:

>Alex, you would lose that bet, zlib 1.2.2 has a hole in it, it
>should have been replaced with 1.2.3  See the zlib website
>for more info.
>
>Nospam, good catch, if none of the hip-shooters here file a PR I'll
>get around to it the next time I get a running build off the
>cvs.
>  
>
Sorry, I remain unconvinced.  Follow the bug links on the zlib home page 
and both contain "References" like this:

>
> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:16.zlib.asc
> https://rhn.redhat.com/errata/RHSA-2005-569.html
> http://secunia.com/advisories/15949/

So unless the fixes somehow were un-made for 6.1, zlib is not 
vulnerable, regardless of whether the version number is 1.2.2 or 1.2.3.

If you or the OP still believe that there is a bug then talking to the 
security officer is surely the correct course of action. 

(I follow bugtraq and saw FreeBSD patch notices arrive soon after the 
zlib bugs were reported.  It's true, I could have missed later zlib 
bugs, but that's hard to do since you always get a slew of Linux update 
notices for any common package like this one.  So only shooting from the 
hip in an Billy-the-Kid-hit-anything-at-100-paces kind of way :-))

--Alex