From owner-freebsd-stable  Tue Mar 12  7: 1:23 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mail00.cdocs.com (mail00.cdocs.com [208.217.166.68])
	by hub.freebsd.org (Postfix) with ESMTP id D740237BE57
	for <stable@freebsd.org>; Tue, 12 Mar 2002 06:53:10 -0800 (PST)
Received: from zuul (localhost [127.0.0.1])
Message-Id: <200203121450.IAA03980@mail00.cdocs.com>
Received: from  ([10.115.100.201]) by zuul; Tue, 12 Mar 2002 14:48:16 +0000 (GMT)
Content-Type: text/plain;
  charset="iso-8859-1"
From: Warren Smith <wasmith@cdocs.com>
Organization: Corporate Document Systems
To: stable@freebsd.org
Subject: zlib vulnerability in FreeBSD
Date: Tue, 12 Mar 2002 08:50:50 -0600
X-Mailer: KMail [version 1.3.2]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG


I just stumbled across an article about a vulnerability in the zlib 
compression library at msnbc.com.  Here is the link:

http://www.msnbc.com/news/722605.asp?0si=-

It mentions that CERT will be making a statement about it, so I went 
to CERT's site and found this: http://www.kb.cert.org/vuls/id/368819
It says that FreeBSD is vulnerable as of 28-Feb-2002.  It also said 
that there was no "known" exploit code.  I'm sure that will change 
quickly now that this is public.

I went and looked at the FreeBSD CVS repository for zlib 
(http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libz/) and it appears 
that zlib 1.1.4 has been imported into the "vendor" branch.  I'm not 
familiar with the "vendor" branch.  Could someone enlighten me?

I went to the zlib site at http://www.gzip.org/zlib and found that 
zlib 1.1.4 contains the vulnerability fix, so it appears that steps 
are being taken to fix this in FreeBSD.

Anyone have any idea how long it will take to make it into RELENG_4_5?

Just curious since I have several machines to upgrade when it does.

-- 
Warren Smith
Analyst/Programmer
DST Output
wasmith@cdocs.com
816-843-9084

***********************************************************
The contents of this message are the sole responsibility of
Warren Smith and do NOT reflect the opinions or positions
of DST Output.
***********************************************************

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message