Hi, After the SuSE tandem announcement regarding zlib vuln. I have noticed that some other distros are also providing updates for ppp, XFree86 . I do not think I have seen these in the announcement. Does that mean those SuSE rpm's are not vulnerable for the zlib vul or yet more to come in the coming days is what I should read ? -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Togan Muftuoglu
After the SuSE tandem announcement regarding zlib vuln. I have noticed that some other distros are also providing updates for ppp, XFree86 . I do not think I have seen these in the announcement. Does that mean those SuSE rpm's are not vulnerable for the zlib vul or yet more to come in the coming days is what I should read ?
Just guessing: Maybe these packages are dynamically linked against the
system libz. Then the following paragraph from the announcement would
apply:
| The packages affected by the double-free() libz bug can be devided into
| two categories:
|
| 1) packages that link dynamically against the system-provided
| compression library. These packages get fixed automatically with
| the update of the libz package as described in SuSE-SA:2002:010.
| Please note that the processes will continue to use the old
| version of the libz.so shared library if the have not been
| restarted after the libz package upgrade.
--
Rolf Krahl
* Rolf Krahl;
Just guessing: Maybe these packages are dynamically linked against the system libz. Then the following paragraph from the announcement would
I made the same assumption as you did but for some reason I do not feel secure as I have ppp running since Roman mentioned the Kernel update to be announced soon hence was the question. -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Just guessing: Maybe these packages are dynamically linked against the system libz. Then the following paragraph from the announcement would
I made the same assumption as you did but for some reason I do not feel secure as I have ppp running since Roman mentioned the Kernel update to be announced soon hence was the question.
I agree, with some minor changes. :-)
First off, I'm supposed to forward an email from Harald König, it got
intercepted by the lists server:
--------------
From: Harald Koenig
Just guessing: Maybe these packages are dynamically linked against the system libz. Then the following paragraph from the announcement would apply:
at least XFree86 4.2.0 and older need to be fixed.
it uses it's own zlib for some platforms -- e.g. on Linux
but not for Debian. for details see
http://www.xfree86.org/4.2.0/ERRATA.html
ftp://ftp.xfree86.org/pub/XFree86/4.2.0/fixes/
Harald
--
-------------
In other words: run ldd on your X server and see that it's dynamically
linked.
The thing in the kernel: The ppp code with SLHC isn't the actual thing to
worry about: You'd have to attack that kernel from the other end of your
ptp connection, be it ISDN or modem or pppoe - it's your provider's
hardware. Almost all other occasions in the kernel use compression with
root-supplied data only.
What worries me more is the use of libz in freeswan.
As I said, we're working on it.
Thanks,
Roman.
--
- -
| Roman Drahtmüller
participants (3)
-
rolf.krahl@gmx.net
-
Roman Drahtmueller
-
Togan Muftuoglu