RE: [cobalt-security] Double Free Bug in ZLIB Compression Library

["Mark Carey" <mark.carey@xxxxxxx>]

Hi Gerald,
  just to let you know, the Sun/Cobalt Vulnerability Assessment team is
aware of this and are working to resolve it.  This is a low threat level
right now due the difficulty of exploiting a double free bug.  Our
research indicates that the following might be vulnerable.  

zlib (update to v 1.1.4)
cvs  (updated to use system shared zlib)
dump (updated to use system shared zlib)
gcc3 (if we are using it anywhere)
libgcj (updated to use system shared zlib)
Linux kernel (uses internal zlib variant with bug)
rsync (incorporates other security fixes as well)

These are the updated RPMs from the RedHat advisory.  I would rather not
show up "on-list" on this one due to the amount of time answering all
the e-mails would take, but if you are looking for a list of impacted
packages, the above is what we found.  

I'm not sure what the sustaining schedule looks like, but a patch will
be generated as soon as possible.  

   Thanks for your support of Sun Cobalt products!
   Mark.

-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx] On Behalf Of Gerald Waugh
Sent: Tuesday, March 12, 2002 10:57 PM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: [cobalt-security] Double Free Bug in ZLIB Compression Library




Upgrade your version of zlib

   The  maintainers  of  zlib have released version 1.1.4 to address
this
   vulnerability.  Upgrade any software that is linked to or derived
from
   an earlier version of zlib. The latest version of zlib is available
at
   http://www.zlib.org

http://www.cert.org/advisories/CA-2002-07.html


--
Gerald Waugh
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security