On 3/11/02 at 10:42 PM, Manfred Schuler <[EMAIL PROTECTED]> wrote: > Today I received this security announcements. > If you think, it is not necessary to forward this message > to the list, please tell me.
Should we (as distribution creators) be sending out our own "Official Vendor Security Alerts"? Sounds logical to me... > The zlib compression library is being used by many > applications to provide data compression/decompression > routines. An error in a decompression routine can corrupt > the internal data structures of malloc by a double call to > the free() function. If the data processed by the > compression library is provided from an untrusted source, > it may be possible for an attacker to interfere with the > process using the zlib routines. The attack scenario > includes a denial of service attack and memory/data > disclosure, but it may also be possible to insert > arbitrary code into the running program and to execute > this code. This update fixes the known problems in the > libz/zlib as a permanent fix. There exists no temporary > workaround that can efficiently remedy the problem. > The following is a list of the packages in category 2): > gpg > rsync > cvs > rrdtool > freeamp > netscape > vnc > kernel I've created Packages for rsync and vnc. Both probably should be updated. The kernel should be updated as well. I don't remember creating a cvs.lrp but you never know... should check. Would this affect OpenSSL? Also, are you all aware that there is a vulnerability in OpenSSH 3.0 and earlier? Fix exists in OpenSSH 3.1... -- David Douthitt UNIX Systems Administrator HP-UX, Unixware, Linux [EMAIL PROTECTED] _______________________________________________ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
