Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
Michael Stone wrote:
> A number of programs either link statically to zlib or include
> a private copy of zlib code. These programs must also be upgraded
> to eliminate the zlib vulnerability. The affected packages and fixed
> versions follow:
> amaya 2.4-1potato1
> dictd 1.4.9-9potato1
> erlang 49.1-10.1
> freeamp 2.0.6-2.1
> mirrordir 0.10.48-2.1
> ppp 2.3.11-1.5
> rsync 2.3.2-1.6
> vrweb 1.5-5.1
So how many of these packages actually have a good reason to include
their own zlib or link statically? This particular security hole is a
classic example of why doing either with any library is braindead.
Shouldn't we try to make them all use the standard zlib, dynamically
linked?
I know that some packages I maintain have thier own copy if zlib in
them, luckily I went with the dynamic library, so they do not appear in
the above list.
--
see shy jo
Reply to: