OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 25-Aug-2004 18:13:28
Branch: HEAD Handle: 2004082517132800
Modified files:
openpkg-web/security OpenPKG-SA-2004.038-zlib.txt
Log:
apply Michael's feedback
Summary:
Revision Changes Path
1.2 +11 -11 openpkg-web/security/OpenPKG-SA-2004.038-zlib.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2004.038-zlib.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2004.038-zlib.txt
--- openpkg-web/security/OpenPKG-SA-2004.038-zlib.txt 25 Aug 2004 15:11:24 -0000
1.1
+++ openpkg-web/security/OpenPKG-SA-2004.038-zlib.txt 25 Aug 2004 16:13:28 -0000
1.2
@@ -37,9 +37,9 @@
xemacs xfig xmame xplanet xv zimg
Description:
- Triggered by Debian bug report [1], a denial of service vulnerability
+ Triggered by a Debian bug report [1], a denial of service vulnerability
was found in the ZLib compression library [0] versions 1.2.x
- (older versions are not affected). The problem is an incorrect
+ (older versions are not affected). The problem arises from incorrect
error handling in the inflate() and inflateBack() functions. The
Common Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2004-0797 [2] to the problem.
@@ -47,7 +47,7 @@
Please check whether you are affected by running "<prefix>/bin/openpkg
rpm -q zlib". If you have the "zlib" package installed and its version
is affected (see above), we recommend that you immediately upgrade it
- (see Solution) and its dependent packages (see above), too [3][4].
+ (see Solution) and its dependent packages (see above) as well [3][4].
Solution:
Select the updated source RPM appropriate for your OpenPKG release
@@ -68,14 +68,14 @@
$ su -
# <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/zlib-1.2.1-2.1.1.*.rpm
- Additionally, you have to rebuild and reinstall at least all dependent
- packages (see above), if they are installed in your OpenPKG instance.
- Just updating the "zlib" package is NOT sufficient because all
- executables in dependent packages have to be relinked against the
- fixed static library "libz.a". Because of transitive dependencies and
- the fact that "zlib" is used by lots of libraries and programs, the
- ultimate safest way is to just rebuild all packages in your OpenPKG
- instance.
+ Additionally, rebuild and reinstall any other dependent packages (see
+ above) already installed in your OpenPKG instance. Only updating the
+ "zlib" package is NOT sufficient because of the statically linked old
+ "libz.a" code residing in the executables of other dependent packages.
+
+ Due to transitive dependencies and because "zlib" is used by many
+ other libraries and programs, the safest way to secure an OpenPKG
+ instance is to rebuild all packages installed in it.
________________________________________________________________________
References:
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
