Date: Sun, 30 Jan 2005 16:49:05 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Ted Mittelstaedt" <tedm@toybox.placo.com>, "Lowell Gilbert" <freebsd-questions-local@be-well.ilk.org>, "Timothy Luoma" <lists@tntluoma.com> Cc: FreeBSD-Questions Questions <freebsd-questions@freebsd.org> Subject: RE: 1st security warning: "installed zlib version may containasecurity bug" Message-ID: <LOBBIFDAGNMAMLGJJCKNKEDCFAAA.tedm@toybox.placo.com> In-Reply-To: <LOBBIFDAGNMAMLGJJCKNCEDCFAAA.tedm@toybox.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Ted > Mittelstaedt > Sent: Sunday, January 30, 2005 4:39 PM > To: Lowell Gilbert; Timothy Luoma > Cc: FreeBSD-Questions Questions > Subject: RE: 1st security warning: "installed zlib version may > containasecurity bug" > > > > > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of > Lowell Gilbert > > Sent: Sunday, January 30, 2005 7:38 AM > > To: Timothy Luoma > > Cc: FreeBSD-Questions Questions > > Subject: Re: 1st security warning: "installed zlib version > may contain > > asecurity bug" > > > > > > Timothy Luoma <lists@tntluoma.com> writes: > > > > > I was trying to configure && make 'clamav-0.81' when it complained > > > about this: > > > > > > configure: error: The installed zlib version may contain a security > > > bug. Please upgrade to 1.2.2 or later: http://www.zlib.net. You can > > > omit this check with --disable-zlib-vcheck but DO NOT REPORT any > > > stablility issues then! > > > > > > I went to zlib.net, downloaded 1.2.2, did './configure && > > make install > > > clean' > > > > > > Is that all I need to do? This is my first "security warning" so I > > > want to make sure I'm not missing something obvious. > > > > It sounds like you're missing the ports collection, to begin > with. It > > will handle dependencies for you, a big help in upgrades. > > Lowell, > > Considering that /ports/security/clamav was only updated to > clamav 0.81 6 hours ago it is quite expected that the OP would > have tried building this himself. > > And you > > should try to use the FreeBSD base system upgrades and security > > advisories for keeping up on security issues, rather than trying to > > install bits and pieces yourself (unlike, say, Linux, FreeBSD is a > > whole operating system). > > > > zlib is part of the base OS it should be at version 1.2.2 in FreeBSD > 4.11R, > since version 1.2.2 was released in October 2004. > Oops, belay this - the version of zlib in FreeBSD is much older and is not vulnerable. clamav is the problem - the check they are making is assuming that any zlib implementation that is not 1.2.2 is vulnerable. The hack that I gave will work to get clamav built on your system - but there is no need to update the zlib libraries. Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNKEDCFAAA.tedm>