Hi Gerald, just to let you know, the Sun/Cobalt Vulnerability Assessment team is aware of this and are working to resolve it. This is a low threat level right now due the difficulty of exploiting a double free bug. Our research indicates that the following might be vulnerable.
zlib (update to v 1.1.4) cvs (updated to use system shared zlib) dump (updated to use system shared zlib) gcc3 (if we are using it anywhere) libgcj (updated to use system shared zlib) Linux kernel (uses internal zlib variant with bug) rsync (incorporates other security fixes as well) These are the updated RPMs from the RedHat advisory. I would rather not show up "on-list" on this one due to the amount of time answering all the e-mails would take, but if you are looking for a list of impacted packages, the above is what we found. I'm not sure what the sustaining schedule looks like, but a patch will be generated as soon as possible. Thanks for your support of Sun Cobalt products! Mark. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gerald Waugh Sent: Tuesday, March 12, 2002 10:57 PM To: [EMAIL PROTECTED] Subject: [cobalt-security] Double Free Bug in ZLIB Compression Library Upgrade your version of zlib The maintainers of zlib have released version 1.1.4 to address this vulnerability. Upgrade any software that is linked to or derived from an earlier version of zlib. The latest version of zlib is available at http://www.zlib.org http://www.cert.org/advisories/CA-2002-07.html -- Gerald Waugh _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
