[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] zlib - new security problem
- Subject: Re: [cobalt-security] zlib - new security problem
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Wed, 10 Apr 2002 15:10:42 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
"marcus miller" <cobalt_security_list@xxxxxxxxxxx> wrote:
> I have tried searching the cobalt user archives and can find no reference
to
> this problem. ( there is a post that comes up but it seems to be some kind
> of flame! )
>
> There is a new(ish) possible security hole relating to all packages that
use
> zlib.
>
> As to not spam this board the full details can be found here:
> http://www.kb.cert.org/vuls/id/JPLA-57DKCV
>
> I would like to know if any of you are......
> a) aware of this
Yes. There were a lot of posts about it on the cobalt lists (among other
places) the day it was announced. Check the archives for March 13 or so.
> b) concerned by this
Yes.
> c) aware of a fix
Install zlib-1.1.4 and recompile all of the software that uses zlib or grab
versions that use the latest zlib. Many programs have versions relying on
the latest zlib, others like gnupgp don't - at least not when I recompiled
it a few weeks ago, which required modifying the gnupgp source. AFAIK,
Cobalt hasn't released a zlib upgrade or patches for software that uses
zlib.
> I was recently made painfully aware of the errors of not keeping fully
> up-to-date with the latest security measures so I would appreciate any
> replies.
Hundreds of programs use zlib. There's a list on the zlib homepage. I'd
take a look and do an inventory of your server and see what's affected.
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/