On Mon, Mar 11, 2002 at 07:50:44PM -0500, Joey Hess wrote: > Michael Stone wrote: > > A number of programs either link statically to zlib or include > > a private copy of zlib code. These programs must also be upgraded > > to eliminate the zlib vulnerability. The affected packages and fixed > > versions follow: > > amaya 2.4-1potato1 > > dictd 1.4.9-9potato1 > > erlang 49.1-10.1 > > freeamp 2.0.6-2.1 > > mirrordir 0.10.48-2.1 > > ppp 2.3.11-1.5 > > rsync 2.3.2-1.6 > > vrweb 1.5-5.1 > > So how many of these packages actually have a good reason to include > their own zlib or link statically? This particular security hole is a > classic example of why doing either with any library is braindead. > Shouldn't we try to make them all use the standard zlib, dynamically > linked? Of those, in sid: rsync uses a modified zlib and can't dynamically link; amaya now links dynamically; freeamp links dynamically; vrweb links dynamically. dictd should link dynamically, but needs a smarter build process. mirrordir is easy to fix. -- Mike Stone
Attachment:
pgpVpKB38H6_z.pgp
Description: PGP signature