On Wed, 2005-02-16 at 14:57 +0100, Tarjei Knapstad wrote: > On Wed, 2005-02-16 at 08:49, Dennis Peterson wrote: > > Dörfler Andreas said: > > > the versioncheck for zlib isnt the best. > > > suse for example fixes the security hole > > > in 1.2.1 with patches and not with a installation > > > from a new version. > > > forget the warning. > > > > > > > Sounds like suse has introduced a configuration management anomaly. How > > much running around looking for such anomalies do you think these fine > > developers should do for free? > > > > Damn, but this has been a week of whiners. This software hasn't a brain, > > people, use your own. > > > > Nobody is whining here Dennis. > > I was asking a question about what the zlib warning was all about. The > 3rd party SRPM requires zlib 1.2.1.2 which is the latest available for > FC3 (1.2.2.2 is in Rawhide). The zlib homepage doesn't mention anything > about 1.2.2 (you can download it if you manually change the download > URLs). From the zlib ChangeLog I can't see anything important that would > make 1.2.1.2 any less accetable than 1.2.2: > > Changes in 1.2.2 (3 October 2004) > - Update zlib.h comments on gzip in-memory processing > - Set adler to 1 in inflateReset() to support Java test suite [Walles] > - Add contrib/dotzlib [Ravn] > - Update win32/DLL_FAQ.txt [Truta] > - Update contrib/minizip [Vollant] > - Move contrib/visual-basic.txt to old/ [Truta] > - Fix assembler builds in projects/visualc6/ [Truta]
A simple search in the archive for "zlib 1.2.2" turns this up: http://lurker.clamav.net/message/20041103.143255.97fa22ec.en.html It contains the references you are asking for, a link to the *current* zlib homepage which has 1.2.2 all over it, and the front page then states this: "Version 1.2.2 eliminates a potential security vulnerability in zlib 1.2.1, so all users of 1.2.1 should upgrade immediately. The following important fixes are provided in zlib 1.2.2: * Eliminate a potential security vulnerability when decoding invalid compressed data * Fix bug when decompressing dynamic blocks with no distance codes * Do not return an error when using gzread() on an empty file" -trog
signature.asc
Description: This is a digitally signed message part
_______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users