Package: fastjar Version: 1:3.0.4-2 Severity: grave Justification: user security hole Tags: security
fastjar and grepjar both appear to link statically to zlib, so need to be rebuilt against a zlib1g-dev not vulnerable to the recently announced security hole. (Actually, when I configured gcc-3.0 on auric it seemed to end up with 'ZLIBS = $(top_builddir)/../zlib/libz.a -L$(here)/../zlib/', despite the use of --with-system-zlib. Perhaps src/zlib should be patched to be on the safe side; diffing zlib_1.1.3-19.diff.gz and zlib_1.1.3-19.1.diff.gz produces the patch.) Thanks, -- Colin Watson [EMAIL PROTECTED]