Micah, Thanks for detecting this; however, I don't think systemimager-ssh is vulnerable.
systemimager-ssh includes its own copy of zlib because of a dependency in the ssh binary it builds. These binaries are downloaded by a client system and used to set up a tunnel to the server. The ssh commands used are pre-determined, and do not enable compression. I audited the ssh source, and every use of zlib that I can find is conditional upon the compression option. Therefore I don't believe systemimager-ssh should be considered vulnerable to vulnerabilities in zlib. Unfortunately, compression is not a build-time option for openssh, so it would be somewhat invasive to remove the unused zlib library. -- dann frazier <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
