Wrong list. Sorry. -------- Original Message -------- Subject: LFS-6.1 - svn and security issues Date: Sun, 10 Jul 2005 12:18:31 -0500 From: Bruce Dubbs <[EMAIL PROTECTED]> To: BLFS Support List <[email protected]> References: <[EMAIL PROTECTED]>
Matthew Burgess wrote: > The Linux From Scratch community is pleased to announce the release of > LFS 6.1. This release includes a large number of package upgrades > (including Linux-2.6.11.12, GCC-3.4.3 and Glibc-2.3.4) and security > fixes (including the recently disclosed zlib vulnerability). It also > includes a large amount of editorial work on the explanatory material > throughout the book, improving both the clarity and accuracy of the text. > > You can read the book online at > http://www.linuxfromscratch.org/lfs/view/6.1/, or download to read it > locally from http://www.linuxfromscratch.org/lfs/downloads/6.1/. I pulled a fresh copy of LFS from SVN: svn co svn://linuxfromscratch.org/LFS/branches/6.1/ and built it. I was suprised that the title was: Version TESTING-20050709 Perhaps there needs to be an update in the branch to general.ent: s/TESTING-20050709/6.1/ --------------- Additionally, you may want to consider releasing LFS 6.1.1 due to a zlib vulnerability: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096 http://www.debian.org/security/2005/dsa-740 The fix appears to be: +--- zlib-1.2.2.orig/inftrees.c 2004-09-15 15:30:06.000000000 +0100 ++++ zlib-1.2.2/inftrees.c 2005-07-02 14:42:24.270321629 +0100 +@@ -134,7 +134,7 @@ + left -= count[len]; + if (left < 0) return -1; /* over-subscribed */ + } +- if (left > 0 && (type == CODES || (codes - count[0] != 1))) ++ if (left > 0 && (type == CODES || max != 1)) + return -1; /* incomplete set */ + + /* generate offsets into symbol table for each length for sorting */ Which LFS should probably do with a sed: sed -i 's/(codes - count[0])/max/' inftrees.c Alternatively, I suspect there will be a zlib 1.2.3 in the next day or two. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
