At 09:20 AM 3/18/2002, Chris Faulhaber wrote:

>Yes, any software that uses libz is vulnerable to the double-free
>bug (but not necessarily exploitable).

Great. This comes just as I'm about to set up some new systems....
Not to mention the fact that I'll have to patch some old ones. And
even if I load 4.5-STABLE, my confidence that I'll get a system
that's immune to the bug is a bit shaky. Many apps in the ports/packages
collection may use zlib, leaving them vulnerable to a DoS at best and
exploitation at worst.

So, I'm wondering: What's the best way, as I load up the new systems,
to ensure that I'm not installing ANY code that was statically linked
with the old, buggy zlib?

At the same time, I also need to patch or otherwise work around
the OpenSSH local root hole (I spent lots of time rebuilding OpenSSH
on existing machines). 4.5-STABLE should cover this, but I always
dislike loading between-release snapshots. You never know when there's
a hidden bug in -STABLE that'll be fixed the next day or week.

It sounds as if, perhaps, there ought to be a FreeBSD 4.5.1 release
that handles the zlib bug, the OpenSSH hole, and anything else that
has come up since 4.5-RELEASE.

--Brett

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]