* José Luis Tallón: >> What is the security bug? How is the statically linked binary used? >> Mike Stone > > Buffer overflow in ZLib, if memory serves me well. > > BScan / BCopy should not need to use zlib, but a new version is probably > a good idea (please note that bacula-sd itself is *not* statically > linked, and so should use the fixed version of zlib as soon as the lib > is updated and bacula-sd restarted). Better safe than sorry, however.
I think what Michael wants to know is whether bscan.mysql actually *uses* zlib to process data from an untrusted source. There is no vulnerability if bscan.mysql only decompresses data which is trusted anyway (configuration files would be a typical example, although it's unlikely they are compressed).
