On 1/9/26 1:30 PM, G.W. Haywood wrote:
Hi there,
On Fri, 9 Jan 2026, Richard Shaw wrote:
So it looks like the bundled zlib has been removed but
I'm pretty sure that
hasn't made it into a release yet, correct?
It depends what you call a release. I consider it
released as 0.63rc1.
Since it isn't just Perl code (there's quite a chunk of C
in there)
things like architectures may present issues so it would
be really
good to get some feedback.
At the moment I don't know how many people have actually
used it. At
least two if you look at the mailing list posts. One of
those is me. :)
Bear in mind that in 0.62 the bundled zlib doesn't need to
be compiled.
Just some some thoughts / questions on the zlib CVE. There
are two path's of vulnerability for the BackupPC server. One
is the distro installed zlib and the other is the zlib
bundled in BackupPC to date. The distro installed zlib
supposedly will be patched soon, not as of yet. Anyone who
has access to this server could avail themselves of the
vulnerability till it is patched. Once it is patched then
the only users who have access to the bundled zlib are those
trusted BackupPC admin users. The client users shoudn't have
direct access to the bundled zlib, correct? Just trying to
get an idea of the risk level for the bundled zlib.
--
Jim KR
_______________________________________________
BackupPC-users mailing list
[email protected]
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: https://github.com/backuppc/backuppc/wiki
Project: https://backuppc.github.io/backuppc/
