Rob MacGregor wrote:
I've raised a bug (with FreeBSD) regarding this on everybody else's
behalf. I suspect the issue is that with 5.3 (and later) the version
of ZLib installed is patched, but the port doesn't check what version
of FreeBSD is being used (and I've no idea how it could, but then I'm
not a programmer).
AFAICT, FreeBSD prior to 5.3 uses zlib 1.1.4. At least all my 4.x boxes (generally 4.9 through 4.11) use that version; I don't have any 5.2.1 boxes (or, rather, I've already updated them to 5.3), though, so I can't directly check those.
Anyway, FreeBSD 5.3 upgraded zlib to 1.2.1, and the vulnerability was fixed without upgrading to 1.2.2 (i.e. the fix was backported or something -- see http://www.kb.cert.org/vuls/id/JGEI-64EQPH). I'm not exactly a fan of the practice, but FreeBSD is hardly the only vendor/distro to backport fixes without bumping version numbers.
Since according to http://www.zlib.net/ and http://www.kb.cert.org/vuls/id/238678 the vulnerability only affects 1.2.1, no released version of FreeBSD was *ever* vulnerable. As such, there's no need for the port tree's Makefile to check which version of FreeBSD is running so I'd expect your bug report to be marked as invalid.
Hopefully this will be addressed, without the need for people to
update to 5.3 :)
FWIW, I'm running 0.81 on four 5.3 boxes each doing around 40-80K scans per day. I've only been running it since the ports tree was updated to include 0.81 (Monday) so the phrase 'test of time' is definitely inappropriate, but they've yet to hiccup, let alone crash. My 4.x boxes running 0.81 are also chugging away without issue, and I'm expecting little trouble as I upgrade client boxes to 0.81 over the next few days.
Craig. ------ _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
