--- Dennis Clarke <[EMAIL PROTECTED]> wrote:
> On 7/9/05, Alan Coopersmith > <[EMAIL PROTECTED]> wrote: > > James Dickens wrote: > > > > http://www.informationweek.com/story/showArticle.jhtml?articleID=165701026&tid=5979 > > > > > > The bug, which affects the current version of > zlib, 1.2.2, > > > > The advisories I've seen all state that zlib > versions 1.2.0 -> 1.2.2 > > are affected, but older ones are not. I believe > the zlib included in > > Solaris is older than that (1.1.4 according to > /usr/include/zlib.h) but you > > may have installed a newer rev from blastwave, > sunfreeware, etc. that you > > should check for updates to. > > > > To follow up with everyone : > > > http://www.blastwave.org/articles/BLS-0034/index.html > > And to quote Alan somewhat :-) > > This is *NOT* an official security patch - I > can't make such things, > just a followup based on what the Gentoo people > have done. > > There will be an update available to Solaris users > just as soon as a > patch is _actually_ released via the zlib people. > You can bet that we > at Blastwave take production servers deadly serious > and will not slap > in a patch unless it makes sense to do so. > > So wait for a package update that will be along just > as soon as possible. > > Dennis Clarke > Director and Admin for blastwave.org > [EMAIL PROTECTED] Zlib.org has updated their website and haven't released an official update as of June 10th: 'IMPORTANT NOTE: (July 10, 2005) A new security vulnerability has been discovered in which specially crafted input files can cause inflate to overwrite memory that follows the internal inflate state. This can cause the application to crash depending on what is overwritten. This vulnerability only affects versions 1.2.1 and 1.2.2. of zlib. Earlier versions, e.g. 1.1.4, are not affected. A new version of zlib will be released soon to address this issue. Stay tuned. ' Blastwave.org has the latest source of zlib and binaries for Solaris and I'll upgrade the zlib package as soon as the updated 'official' patch/source is available from the zlib organization's website. Note: I've seen non-official patches, but won't add those unless they are approved by the zlib developers. Thanks, Ken Mays __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ opensolaris-discuss mailing list [email protected]
