Re: Addressing the recent zlib issue

To: Florian Weimer <fw@deneb.enyo.de>
Cc: debian-security@lists.debian.org
Subject: Re: Addressing the recent zlib issue
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 24 Jul 2005 14:04:48 +0200
Message-id: <[🔎] 20050724120448.GA11127@roeckx.be>
In-reply-to: <[🔎] 87pstqzrqo.fsf@deneb.enyo.de>
References: <[🔎] 87pstqzrqo.fsf@deneb.enyo.de>

On Sun, Jul 10, 2005 at 03:59:43PM +0200, Florian Weimer wrote:
> On my system, the following packages contain statically linked copies
> of zlib-related code:

I'm still interested in a full list of pacakges staticly linked
to any version of zlib.

We had a few advisories about zlib so far:
DSA-763 (CAN-2005-1849): fixed in 1.2.2-4.sarge.2, 1.2.3-1
DSA-740 (CAN-2005-2096): fixed in 1.2.2-4.sarge.1, 1.2.2-7
DSA-122 (CVE-2002-0059): fixed in 1.1.3-5.1, 1.1.3-19.1, several
  other packages got fixed at that time.

Afaik, we don't even have advisories for:
CAN-2004-0797: fixed in 1.2.1.1-6
CVE-2003-0107: fixed in 1.1.4-10

And maybe I didn't even find a few.

I think we really should update all packages to:
- Build depend on zlib1g-dev when possible.
- Build them use the latest version (1.2.3-1)
- Document which are linked staticly.


Kurt

Reply to:

References:
- Addressing the recent zlib issue
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: a compromised machine
Next by Date: Re: a compromised machine
Previous by thread: Re: Addressing the recent zlib issue
Next by thread: Ausencia / Abwesenheit
Index(es):
- Date
- Thread