Date: Tue, 12 Mar 2002 08:50:50 -0600 From: Warren Smith <wasmith@cdocs.com> To: stable@freebsd.org Subject: zlib vulnerability in FreeBSD Message-ID: <200203121450.IAA03980@mail00.cdocs.com>
next in thread | raw e-mail | index | archive | help
I just stumbled across an article about a vulnerability in the zlib compression library at msnbc.com. Here is the link: http://www.msnbc.com/news/722605.asp?0si=- It mentions that CERT will be making a statement about it, so I went to CERT's site and found this: http://www.kb.cert.org/vuls/id/368819 It says that FreeBSD is vulnerable as of 28-Feb-2002. It also said that there was no "known" exploit code. I'm sure that will change quickly now that this is public. I went and looked at the FreeBSD CVS repository for zlib (http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libz/) and it appears that zlib 1.1.4 has been imported into the "vendor" branch. I'm not familiar with the "vendor" branch. Could someone enlighten me? I went to the zlib site at http://www.gzip.org/zlib and found that zlib 1.1.4 contains the vulnerability fix, so it appears that steps are being taken to fix this in FreeBSD. Anyone have any idea how long it will take to make it into RELENG_4_5? Just curious since I have several machines to upgrade when it does. -- Warren Smith Analyst/Programmer DST Output wasmith@cdocs.com 816-843-9084 *********************************************************** The contents of this message are the sole responsibility of Warren Smith and do NOT reflect the opinions or positions of DST Output. *********************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203121450.IAA03980>