Re: Addressing the recent zlib issue
On Sun, Jul 10, 2005 at 03:59:43PM +0200, Florian Weimer wrote:
> On my system, the following packages contain statically linked copies
> of zlib-related code:
I'm still interested in a full list of pacakges staticly linked
to any version of zlib.
We had a few advisories about zlib so far:
DSA-763 (CAN-2005-1849): fixed in 1.2.2-4.sarge.2, 1.2.3-1
DSA-740 (CAN-2005-2096): fixed in 1.2.2-4.sarge.1, 1.2.2-7
DSA-122 (CVE-2002-0059): fixed in 1.1.3-5.1, 1.1.3-19.1, several
other packages got fixed at that time.
Afaik, we don't even have advisories for:
CAN-2004-0797: fixed in 126.96.36.199-6
CVE-2003-0107: fixed in 1.1.4-10
And maybe I didn't even find a few.
I think we really should update all packages to:
- Build depend on zlib1g-dev when possible.
- Build them use the latest version (1.2.3-1)
- Document which are linked staticly.