Recommend that people upgrade, but the vulnerability is *VERY* small. This is merely talking about corruption of malloc structures. To map that into an *application* is practically impossible. It highly depends upon the sequence of malloc() calls, sizes, etc.
IOW, we do nothing but recommend zlib 1.1.4. As an aid, we could have an autoconf test for the version and issue a warning. But I don't see code changes needed. Cheers, -g On Mon, Mar 11, 2002 at 03:41:13PM -0800, Ryan Bloom wrote: > We should probably do something about this, but I'm not sure what. > > Ryan >... > -----Original Message----- > From: GOMEZ Henri [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 11, 2002 3:54 PM > To: Ryan Bloom > Subject: zlib vulnerability > > Hi Ryan, > > Sorry to disturb you but a quick note to warn you > about a vulnerability in zlib (which may be used in > Apache 2.0 code). > > http://www.gzip.org/zlib/advisory-2002-03-11.txt > > Regards > > - > Henri Gomez ___[_]____ > EMAIL : [EMAIL PROTECTED] (. .) > PGP KEY : 697ECEDD ...oOOo..(_)..oOOo... > PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -- Greg Stein, http://www.lyra.org/
