zlib-1.1.4 out - security fix

Mark Hymers markh at linuxfromscratch.org
Mon Mar 11 16:42:18 PST 2002


On Mon, 11, Mar, 2002 at 05:44:03PM -0500, Gerard Beekmans spoke thus..
> On Mon, Mar 11, 2002 at 10:30:10PM +0000, Ryan M. McConahy wrote:
> > How about someone writing a script that'll search through
> > /usr/src and find all volnurable packages? I mean, there's
> > got to be more affected than just the base LFS packages,
> > come on!
> 
> it's not the base lfs packages I'm worried about. There aren't too many
> that use zlib, gcc may use something internal and the kernel does. I'm more
> worried about the nearly 100 other packages installed on the
> linuxfromscratch.org, or the several hundred on other servers. Drat it's
> gonna bit a nice job
Ironically it's probably good that this has come out now.  AFAIK the
next version of gzip will *need* zlib to compile and so we'll probably
have to add zlib to the main LFS book if we want to continue to install
gzip.  So from our point of view at least the problem has been seen
before it's affected the main project.  BTW Gerard, what will your
opinion be on having to add zlib as a base package (assuming they go
with that)?

Personally I think it's the one of the best arguments I've ever seen for
*dynamic* linking of libraries.  I'm glad my copy of openssh uses the
dynamic copy (I have heard that some distros have libz statically
compiled in - the question WHY springs to mind..).  If it's all dynamic,
one small upgrade and the problem's fixed.

Mark

-- 
Mark Hymers					BLFS Editor
markh at linuxfromscratch.org
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list