Mailinglist Archive: opensuse-security (408 mails)
| < Previous | Next > |
SuSE 7.2 and zlib vulnerability
- From: Roland Moriz <suse@xxxxxxxxx>
- Date: Sun, 14 Apr 2002 02:52:54 +0200
- Message-id: <5.1.0.14.2.20020414020615.03097350@xxxxxxxxxxxxx>
Hi Folks,
I'm not a linux library geek but I found something courious:
I've scanned my SuSE 7.2 prof. system after updating the packages as described in
http://www.suse.de/de/support/security/2002_010_libz_txt.html and
http://www.suse.de/de/support/security/2002_011_libz_packages_txt.html
for libz and I found the following:
==== Short ==
Name : shlibs5 Relocations: (not relocateable)
Version : 2001.7.30 Vendor: SuSE GmbH, Nuernberg, Germany
Release : 21 Build Date: Mon Sep 17 00:13:19 2001
Install date: Fri Oct 5 22:22:29 2001 Build Host: D45.suse.de
seems still to have a vulnerable zlib:
/usr/i486-linux-libc5/lib/libz.so
/usr/i486-linux-libc5/lib/libz.so.1
/usr/i486-linux-libc5/lib/libz.so.1.1.3
Maybe someone can have a closer look into that?
regards,
Roland
==== LONG ===
s1:/usr/i486-linux-libc5/lib # locate libz
/lib/libz.so.1
/lib/libz.so.1.1.3
...
/usr/i486-linux-libc5/lib/libz.so
/usr/i486-linux-libc5/lib/libz.so.1
/usr/i486-linux-libc5/lib/libz.so.1.1.3
...
/usr/lib/libz.a
/usr/lib/libz.so
...
Then I checked the update zlib package:
s1:/usr/i486-linux-libc5/lib # rpm --query -a |grep libz
libz-1.1.3-573
s1:/usr/i486-linux-libc5/lib # rpm --query libz-1.1.3-573 -l
/lib/libz.so.1
/lib/libz.so.1.1.3
...
/usr/include/zlib.h
...
/usr/lib/libz.a
/usr/lib/libz.so
...
So I'm suprised of that because the zlib in /usr/i486-linux-libc5/lib/ seems to be old an vulnerable! I found that the zlib there belongs to "shlibs5":
s1:/usr/i486-linux-libc5/lib # rpm --query -f /usr/i486-linux-libc5/lib/libz.so
shlibs5-2001.7.30-21
s1:/usr/i486-linux-libc5/lib # rpm -qi shlibs5
Name : shlibs5 Relocations: (not relocateable)
Version : 2001.7.30 Vendor: SuSE GmbH, Nuernberg, Germany
Release : 21 Build Date: Mon Sep 17 00:13:19 2001
Install date: Fri Oct 5 22:22:29 2001 Build Host: D45.suse.de
It looks like this is the latest version
(ftp://ftp.gwdg.de/pub/linux/suse/ftp.suse.com/suse/i386/update/7.2/a2)
regards,
Roland
I'm not a linux library geek but I found something courious:
I've scanned my SuSE 7.2 prof. system after updating the packages as described in
http://www.suse.de/de/support/security/2002_010_libz_txt.html and
http://www.suse.de/de/support/security/2002_011_libz_packages_txt.html
for libz and I found the following:
==== Short ==
Name : shlibs5 Relocations: (not relocateable)
Version : 2001.7.30 Vendor: SuSE GmbH, Nuernberg, Germany
Release : 21 Build Date: Mon Sep 17 00:13:19 2001
Install date: Fri Oct 5 22:22:29 2001 Build Host: D45.suse.de
seems still to have a vulnerable zlib:
/usr/i486-linux-libc5/lib/libz.so
/usr/i486-linux-libc5/lib/libz.so.1
/usr/i486-linux-libc5/lib/libz.so.1.1.3
Maybe someone can have a closer look into that?
regards,
Roland
==== LONG ===
s1:/usr/i486-linux-libc5/lib # locate libz
/lib/libz.so.1
/lib/libz.so.1.1.3
...
/usr/i486-linux-libc5/lib/libz.so
/usr/i486-linux-libc5/lib/libz.so.1
/usr/i486-linux-libc5/lib/libz.so.1.1.3
...
/usr/lib/libz.a
/usr/lib/libz.so
...
Then I checked the update zlib package:
s1:/usr/i486-linux-libc5/lib # rpm --query -a |grep libz
libz-1.1.3-573
s1:/usr/i486-linux-libc5/lib # rpm --query libz-1.1.3-573 -l
/lib/libz.so.1
/lib/libz.so.1.1.3
...
/usr/include/zlib.h
...
/usr/lib/libz.a
/usr/lib/libz.so
...
So I'm suprised of that because the zlib in /usr/i486-linux-libc5/lib/ seems to be old an vulnerable! I found that the zlib there belongs to "shlibs5":
s1:/usr/i486-linux-libc5/lib # rpm --query -f /usr/i486-linux-libc5/lib/libz.so
shlibs5-2001.7.30-21
s1:/usr/i486-linux-libc5/lib # rpm -qi shlibs5
Name : shlibs5 Relocations: (not relocateable)
Version : 2001.7.30 Vendor: SuSE GmbH, Nuernberg, Germany
Release : 21 Build Date: Mon Sep 17 00:13:19 2001
Install date: Fri Oct 5 22:22:29 2001 Build Host: D45.suse.de
It looks like this is the latest version
(ftp://ftp.gwdg.de/pub/linux/suse/ftp.suse.com/suse/i386/update/7.2/a2)
regards,
Roland
| < Previous | Next > |