From owner-freebsd-questions@FreeBSD.ORG Mon Jan 31 00:49:08 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 954B716A4CE for ; Mon, 31 Jan 2005 00:49:08 +0000 (GMT) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27DBF43D49 for ; Mon, 31 Jan 2005 00:49:08 +0000 (GMT) (envelope-from tedm@toybox.placo.com) Received: from tedwin2k (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) j0V0n7j62564; Sun, 30 Jan 2005 16:49:07 -0800 (PST) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Ted Mittelstaedt" , "Lowell Gilbert" , "Timothy Luoma" Date: Sun, 30 Jan 2005 16:49:05 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Importance: Normal cc: FreeBSD-Questions Questions Subject: RE: 1st security warning: "installed zlib version may containasecurity bug" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jan 2005 00:49:08 -0000 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Ted > Mittelstaedt > Sent: Sunday, January 30, 2005 4:39 PM > To: Lowell Gilbert; Timothy Luoma > Cc: FreeBSD-Questions Questions > Subject: RE: 1st security warning: "installed zlib version may > containasecurity bug" > > > > > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of > Lowell Gilbert > > Sent: Sunday, January 30, 2005 7:38 AM > > To: Timothy Luoma > > Cc: FreeBSD-Questions Questions > > Subject: Re: 1st security warning: "installed zlib version > may contain > > asecurity bug" > > > > > > Timothy Luoma writes: > > > > > I was trying to configure && make 'clamav-0.81' when it complained > > > about this: > > > > > > configure: error: The installed zlib version may contain a security > > > bug. Please upgrade to 1.2.2 or later: http://www.zlib.net. You can > > > omit this check with --disable-zlib-vcheck but DO NOT REPORT any > > > stablility issues then! > > > > > > I went to zlib.net, downloaded 1.2.2, did './configure && > > make install > > > clean' > > > > > > Is that all I need to do? This is my first "security warning" so I > > > want to make sure I'm not missing something obvious. > > > > It sounds like you're missing the ports collection, to begin > with. It > > will handle dependencies for you, a big help in upgrades. > > Lowell, > > Considering that /ports/security/clamav was only updated to > clamav 0.81 6 hours ago it is quite expected that the OP would > have tried building this himself. > > And you > > should try to use the FreeBSD base system upgrades and security > > advisories for keeping up on security issues, rather than trying to > > install bits and pieces yourself (unlike, say, Linux, FreeBSD is a > > whole operating system). > > > > zlib is part of the base OS it should be at version 1.2.2 in FreeBSD > 4.11R, > since version 1.2.2 was released in October 2004. > Oops, belay this - the version of zlib in FreeBSD is much older and is not vulnerable. clamav is the problem - the check they are making is assuming that any zlib implementation that is not 1.2.2 is vulnerable. The hack that I gave will work to get clamav built on your system - but there is no need to update the zlib libraries. Ted