From owner-freebsd-security Mon Mar 18 13: 5:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id F0F5837B402 for ; Mon, 18 Mar 2002 13:05:35 -0800 (PST) Received: from lariat.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA26847 for ; Mon, 18 Mar 2002 14:05:29 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms and other "malware." Message-Id: <4.3.2.7.2.20020318140507.00e58dc0@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 18 Mar 2002 14:05:15 -0700 To: security@FreeBSD.ORG From: Brett Glass Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 09:20 AM 3/18/2002, Chris Faulhaber wrote: >Yes, any software that uses libz is vulnerable to the double-free >bug (but not necessarily exploitable). Great. This comes just as I'm about to set up some new systems.... Not to mention the fact that I'll have to patch some old ones. And even if I load 4.5-STABLE, my confidence that I'll get a system that's immune to the bug is a bit shaky. Many apps in the ports/packages collection may use zlib, leaving them vulnerable to a DoS at best and exploitation at worst. So, I'm wondering: What's the best way, as I load up the new systems, to ensure that I'm not installing ANY code that was statically linked with the old, buggy zlib? At the same time, I also need to patch or otherwise work around the OpenSSH local root hole (I spent lots of time rebuilding OpenSSH on existing machines). 4.5-STABLE should cover this, but I always dislike loading between-release snapshots. You never know when there's a hidden bug in -STABLE that'll be fixed the next day or week. It sounds as if, perhaps, there ought to be a FreeBSD 4.5.1 release that handles the zlib bug, the OpenSSH hole, and anything else that has come up since 4.5-RELEASE. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message