Date: Sun, 30 Jan 2005 16:39:24 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Lowell Gilbert" <freebsd-questions-local@be-well.ilk.org>, "Timothy Luoma" <lists@tntluoma.com> Cc: FreeBSD-Questions Questions <freebsd-questions@freebsd.org> Subject: RE: 1st security warning: "installed zlib version may contain asecurity bug" Message-ID: <LOBBIFDAGNMAMLGJJCKNCEDCFAAA.tedm@toybox.placo.com> In-Reply-To: <44mzurexlf.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Lowell Gilbert > Sent: Sunday, January 30, 2005 7:38 AM > To: Timothy Luoma > Cc: FreeBSD-Questions Questions > Subject: Re: 1st security warning: "installed zlib version may contain > asecurity bug" > > > Timothy Luoma <lists@tntluoma.com> writes: > > > I was trying to configure && make 'clamav-0.81' when it complained > > about this: > > > > configure: error: The installed zlib version may contain a security > > bug. Please upgrade to 1.2.2 or later: http://www.zlib.net. You can > > omit this check with --disable-zlib-vcheck but DO NOT REPORT any > > stablility issues then! > > > > I went to zlib.net, downloaded 1.2.2, did './configure && > make install > > clean' > > > > Is that all I need to do? This is my first "security warning" so I > > want to make sure I'm not missing something obvious. > > It sounds like you're missing the ports collection, to begin with. It > will handle dependencies for you, a big help in upgrades. Lowell, Considering that /ports/security/clamav was only updated to clamav 0.81 6 hours ago it is quite expected that the OP would have tried building this himself. And you > should try to use the FreeBSD base system upgrades and security > advisories for keeping up on security issues, rather than trying to > install bits and pieces yourself (unlike, say, Linux, FreeBSD is a > whole operating system). > zlib is part of the base OS it should be at version 1.2.2 in FreeBSD 4.11R, since version 1.2.2 was released in October 2004. However, all prior FreeBSD will be at 1.2.1. And furthermore there is NO current security advisory on zlib for FreeBSD. I might also point out that http://www.gzip.org/zlib/ still shows the old zlib. This is an easy fix. Download zlib 1.2.2 from http://www.zlib.net and build it according to the instructions and install it in /usr/local. Temporarily rename /usr/lib/libz.a, /usr/lib/libz.so, /usr/lib/libz.so.2, and /usr/lib/libz_p.a to backup files, build clamav (this will shutup clamav and allow it to build) then rename them back. Keep in mind that this WILL NOT fix the zlib security hole in the system. zlib is probably linked into a number of utilities on your system and a proper fix would be to replace the zlib library, and recompile all the utilities in the system that are linked into the static library. Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNCEDCFAAA.tedm>