From owner-freebsd-security  Mon Mar 18 13: 5:44 2002
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.org (lariat.org [12.23.109.2])
	by hub.freebsd.org (Postfix) with ESMTP id F0F5837B402
	for <security@FreeBSD.ORG>; Mon, 18 Mar 2002 13:05:35 -0800 (PST)
Received: from lariat.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id OAA26847
	for <security@FreeBSD.ORG>; Mon, 18 Mar 2002 14:05:29 -0700 (MST)
X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms and other "malware."
Message-Id: <4.3.2.7.2.20020318140507.00e58dc0@nospam.lariat.org>
X-Sender: brett@nospam.lariat.org
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Mon, 18 Mar 2002 14:05:15 -0700
To: security@FreeBSD.ORG
From: Brett Glass <brett@lariat.org>
Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 09:20 AM 3/18/2002, Chris Faulhaber wrote:

>Yes, any software that uses libz is vulnerable to the double-free
>bug (but not necessarily exploitable).

Great. This comes just as I'm about to set up some new systems....
Not to mention the fact that I'll have to patch some old ones. And
even if I load 4.5-STABLE, my confidence that I'll get a system
that's immune to the bug is a bit shaky. Many apps in the ports/packages 
collection may use zlib, leaving them vulnerable to a DoS at best and
exploitation at worst.

So, I'm wondering: What's the best way, as I load up the new systems,
to ensure that I'm not installing ANY code that was statically linked 
with the old, buggy zlib? 

At the same time, I also need to patch or otherwise work around
the OpenSSH local root hole (I spent lots of time rebuilding OpenSSH
on existing machines). 4.5-STABLE should cover this, but I always
dislike loading between-release snapshots. You never know when there's 
a hidden bug in -STABLE that'll be fixed the next day or week.

It sounds as if, perhaps, there ought to be a FreeBSD 4.5.1 release
that handles the zlib bug, the OpenSSH hole, and anything else that 
has come up since 4.5-RELEASE.

--Brett



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message