2) packages that contain the compression library in their own source distribution. These packages need an individual bugfix. We have prepared update packages for this software that can be downloaded from the locations as shown below.
Shouldn't these packages rather be modified to use the system library rather then fixing them all individually? I know, this is beyond the scope of a security bugfix as the latter shouldn't contain feature changes and this can oft not be done as quickly as needed. But i think, a package bringing a library on its own, when decent system libraries are available, this is a quite stupid idea and it is also a security issue, as we can see with this announcement.
Your approach is obviously correct, and in some cases we even proceed that way. (Since libz is used by so many packages, we began to wonder why some packages still bring their own. Seems like it's "en vogue" to do so...) In some cases though you might not want to mess up because the authors modified the code for optimizations and other adaptions. Prominent example: rsync.
Rolf Krahl
Roman.
--
- -
| Roman Drahtmüller