From nobody@FreeBSD.org Mon Nov 14 16:38:59 2005 Return-Path: Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DED1416A41F for ; Mon, 14 Nov 2005 16:38:59 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 98BE143D46 for ; Mon, 14 Nov 2005 16:38:59 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id jAEGcxE0024130 for ; Mon, 14 Nov 2005 16:38:59 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id jAEGcx85024129; Mon, 14 Nov 2005 16:38:59 GMT (envelope-from nobody) Message-Id: <200511141638.jAEGcx85024129@www.freebsd.org> Date: Mon, 14 Nov 2005 16:38:59 GMT From: "Jukka A. Ukkonen" To: freebsd-gnats-submit@FreeBSD.org Subject: FreeBSD-6.0 is still using zlib-1.2.2 X-Send-Pr-Version: www-2.3 >Number: 89012 >Category: bin >Synopsis: [libz] FreeBSD-6.0 is still using zlib-1.2.2 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Nov 14 16:40:25 GMT 2005 >Closed-Date: Mon Sep 25 16:37:15 GMT 2006 >Last-Modified: Mon Sep 25 16:37:15 GMT 2006 >Originator: Jukka A. Ukkonen >Release: FreeBSD-6.0-STABLE >Organization: private citizen >Environment: This report does not refer to an installed FreeBSD-6.0 but to plain source code review. >Description: The ZLIB origin site (www.zlib.net) states this... ------ Current release: zlib 1.2.3 July 18, 2005 Version 1.2.3 eliminates potential security vulnerabilities in zlib 1.2.1 and 1.2.2, so all users of those versions should upgrade immediately. The following important fixes are provided in zlib 1.2.3 over 1.2.1 and 1.2.2: ------ For some odd reason FreeBSD-6.0 seems to be using zlib-1.2.2 though it is claimed to carry security issues. >How-To-Repeat: Either look into the source tree /usr/src/lib/libz/zlib.h or on systems with FreeBSD-6.0 already installed look into /usr/include/zlib.h. There are lines like... #define ZLIB_VERSION "1.2.2" #define ZLIB_VERNUM 0x1220 though for zlib-1.2.3 they should be ... #define ZLIB_VERSION "1.2.3" #define ZLIB_VERNUM 0x1230 >Fix: AFAIK zlib-1.2.3 should be a drop in replacement for 1.2.2 unless the original source files have been mutilated while imported to the FreeBSD source tree. Simply replace the 1.2.2 source files using the current 1.2.3 source files, re-compile, and re-install. >Release-Note: >Audit-Trail: From: Kris Kennaway To: "Jukka A. Ukkonen" Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: misc/89012: FreeBSD-6.0 is still using zlib-1.2.2 Date: Mon, 14 Nov 2005 21:43:09 -0500 On Mon, Nov 14, 2005 at 04:38:59PM +0000, Jukka A. Ukkonen wrote: > > >Number: 89012 > >Category: misc > >Synopsis: FreeBSD-6.0 is still using zlib-1.2.2 > >Confidential: no > >Severity: serious > >Priority: medium > >Responsible: freebsd-bugs > >State: open > >Quarter: > >Keywords: > >Date-Required: > >Class: sw-bug > >Submitter-Id: current-users > >Arrival-Date: Mon Nov 14 16:40:25 GMT 2005 > >Closed-Date: > >Last-Modified: > >Originator: Jukka A. Ukkonen > >Release: FreeBSD-6.0-STABLE > >Organization: > private citizen > >Environment: > This report does not refer to an installed FreeBSD-6.0 but to > plain source code review. > > > >Description: > The ZLIB origin site (www.zlib.net) states this... > ------ > Current release: > zlib 1.2.3 > > July 18, 2005 > > Version 1.2.3 eliminates potential security vulnerabilities in zlib 1.2.1 and 1.2.2, so all users of those versions should upgrade immediately. The following important fixes are provided in zlib 1.2.3 over 1.2.1 and 1.2.2: > ------ > > For some odd reason FreeBSD-6.0 seems to be using zlib-1.2.2 though it is claimed > to carry security issues. The security issues were fixed without performing a full upgrade to 1.2.3 (as described in the relevant FreeBSD security advisory). Do you have reason to believe otherwise? Kris State-Changed-From-To: open->patched State-Changed-By: maxim State-Changed-When: Fri Apr 14 15:41:22 UTC 2006 State-Changed-Why: des@ imported zlib 1.2.3 to HEAD. http://www.freebsd.org/cgi/query-pr.cgi?pr=89012 State-Changed-From-To: patched->closed State-Changed-By: maxim State-Changed-When: Mon Sep 25 16:36:40 UTC 2006 State-Changed-Why: RELENG_6 got zlib 1.2.3 too. http://www.freebsd.org/cgi/query-pr.cgi?pr=89012 >Unformatted: