From owner-freebsd-questions@FreeBSD.ORG Mon Jan 31 00:39:28 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0815E16A4D7 for ; Mon, 31 Jan 2005 00:39:28 +0000 (GMT) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E39F43D39 for ; Mon, 31 Jan 2005 00:39:27 +0000 (GMT) (envelope-from tedm@toybox.placo.com) Received: from tedwin2k (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) j0V0dQj62521; Sun, 30 Jan 2005 16:39:26 -0800 (PST) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Lowell Gilbert" , "Timothy Luoma" Date: Sun, 30 Jan 2005 16:39:24 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <44mzurexlf.fsf@be-well.ilk.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Importance: Normal cc: FreeBSD-Questions Questions Subject: RE: 1st security warning: "installed zlib version may contain asecurity bug" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jan 2005 00:39:28 -0000 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Lowell Gilbert > Sent: Sunday, January 30, 2005 7:38 AM > To: Timothy Luoma > Cc: FreeBSD-Questions Questions > Subject: Re: 1st security warning: "installed zlib version may contain > asecurity bug" > > > Timothy Luoma writes: > > > I was trying to configure && make 'clamav-0.81' when it complained > > about this: > > > > configure: error: The installed zlib version may contain a security > > bug. Please upgrade to 1.2.2 or later: http://www.zlib.net. You can > > omit this check with --disable-zlib-vcheck but DO NOT REPORT any > > stablility issues then! > > > > I went to zlib.net, downloaded 1.2.2, did './configure && > make install > > clean' > > > > Is that all I need to do? This is my first "security warning" so I > > want to make sure I'm not missing something obvious. > > It sounds like you're missing the ports collection, to begin with. It > will handle dependencies for you, a big help in upgrades. Lowell, Considering that /ports/security/clamav was only updated to clamav 0.81 6 hours ago it is quite expected that the OP would have tried building this himself. And you > should try to use the FreeBSD base system upgrades and security > advisories for keeping up on security issues, rather than trying to > install bits and pieces yourself (unlike, say, Linux, FreeBSD is a > whole operating system). > zlib is part of the base OS it should be at version 1.2.2 in FreeBSD 4.11R, since version 1.2.2 was released in October 2004. However, all prior FreeBSD will be at 1.2.1. And furthermore there is NO current security advisory on zlib for FreeBSD. I might also point out that http://www.gzip.org/zlib/ still shows the old zlib. This is an easy fix. Download zlib 1.2.2 from http://www.zlib.net and build it according to the instructions and install it in /usr/local. Temporarily rename /usr/lib/libz.a, /usr/lib/libz.so, /usr/lib/libz.so.2, and /usr/lib/libz_p.a to backup files, build clamav (this will shutup clamav and allow it to build) then rename them back. Keep in mind that this WILL NOT fix the zlib security hole in the system. zlib is probably linked into a number of utilities on your system and a proper fix would be to replace the zlib library, and recompile all the utilities in the system that are linked into the static library. Ted