Date: Mon, 18 Mar 2002 14:05:15 -0700 From: Brett Glass <brett@lariat.org> To: security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib Message-ID: <4.3.2.7.2.20020318140507.00e58dc0@nospam.lariat.org>
next in thread | raw e-mail | index | archive | help
At 09:20 AM 3/18/2002, Chris Faulhaber wrote: >Yes, any software that uses libz is vulnerable to the double-free >bug (but not necessarily exploitable). Great. This comes just as I'm about to set up some new systems.... Not to mention the fact that I'll have to patch some old ones. And even if I load 4.5-STABLE, my confidence that I'll get a system that's immune to the bug is a bit shaky. Many apps in the ports/packages collection may use zlib, leaving them vulnerable to a DoS at best and exploitation at worst. So, I'm wondering: What's the best way, as I load up the new systems, to ensure that I'm not installing ANY code that was statically linked with the old, buggy zlib? At the same time, I also need to patch or otherwise work around the OpenSSH local root hole (I spent lots of time rebuilding OpenSSH on existing machines). 4.5-STABLE should cover this, but I always dislike loading between-release snapshots. You never know when there's a hidden bug in -STABLE that'll be fixed the next day or week. It sounds as if, perhaps, there ought to be a FreeBSD 4.5.1 release that handles the zlib bug, the OpenSSH hole, and anything else that has come up since 4.5-RELEASE. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20020318140507.00e58dc0>