Bug#137973: marked as done (fastjar: static link to insecure zlib)
Your message dated Thu, 14 Mar 2002 11:53:41 +0100
with message-id <15504.33077.193057.389337@gargle.gargle.HOWL>
and subject line fixed in 3.0.4-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 12 Mar 2002 09:17:00 +0000
>From cjwatson@flatline.org.uk Tue Mar 12 03:17:00 2002
Return-path: <cjwatson@flatline.org.uk>
Received: from rhenium.btinternet.com [194.73.73.93]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 16kiOx-0001El-00; Tue, 12 Mar 2002 03:17:00 -0600
Received: from host217-35-25-97.in-addr.btopenworld.com ([217.35.25.97] helo=arborlon.lab.dotat.at)
by rhenium.btinternet.com with esmtp (Exim 3.22 #8)
id 16kiOs-0003hh-00; Tue, 12 Mar 2002 09:16:54 +0000
Received: from cjwatson by arborlon.lab.dotat.at with local (Exim 3.35 #1 (Debian))
id 16kiOE-0005ls-00; Tue, 12 Mar 2002 09:16:14 +0000
Date: Tue, 12 Mar 2002 09:16:13 +0000
From: Colin Watson <cjwatson@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: fastjar: static link to insecure zlib
Message-ID: <[🔎] 20020312091613.GA22124@arborlon.riva.ucam.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.27i
X-Reportbug-Version: 1.44
Sender: Colin Watson <cjwatson@flatline.org.uk>
Delivered-To: submit@bugs.debian.org
Package: fastjar
Version: 1:3.0.4-2
Severity: grave
Justification: user security hole
Tags: security
fastjar and grepjar both appear to link statically to zlib, so need to
be rebuilt against a zlib1g-dev not vulnerable to the recently announced
security hole.
(Actually, when I configured gcc-3.0 on auric it seemed to end up with
'ZLIBS = $(top_builddir)/../zlib/libz.a -L$(here)/../zlib/', despite the
use of --with-system-zlib. Perhaps src/zlib should be patched to be on
the safe side; diffing zlib_1.1.3-19.diff.gz and zlib_1.1.3-19.1.diff.gz
produces the patch.)
Thanks,
--
Colin Watson [cjwatson@flatline.org.uk]
---------------------------------------
Received: (at 137973-done) by bugs.debian.org; 14 Mar 2002 10:54:17 +0000
>From doko@cs.tu-berlin.de Thu Mar 14 04:54:17 2002
Return-path: <doko@cs.tu-berlin.de>
Received: from mail.cs.tu-berlin.de [130.149.17.13] (root)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 16lSsD-0000Pz-00; Thu, 14 Mar 2002 04:54:17 -0600
Received: from bolero.cs.tu-berlin.de (daemon@bolero.cs.tu-berlin.de [130.149.19.1])
by mail.cs.tu-berlin.de (8.9.3/8.9.3) with ESMTP id LAA09021
for <137973-done@bugs.debian.org>; Thu, 14 Mar 2002 11:53:41 +0100 (MET)
Received: (from doko@localhost)
by bolero.cs.tu-berlin.de (8.11.6+Sun/8.9.3) id g2EArfu08437;
Thu, 14 Mar 2002 11:53:41 +0100 (MET)
From: Matthias Klose <doko@cs.tu-berlin.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15504.33077.193057.389337@gargle.gargle.HOWL>
Date: Thu, 14 Mar 2002 11:53:41 +0100
To: 137973-done@bugs.debian.org
Subject: fixed in 3.0.4-4
X-Mailer: VM 7.00 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
Delivered-To: 137973-done@bugs.debian.org
fixed in 3.0.4-4
Reply to: