Smalltalk › Usenets › Dolphin Smalltalk

zlib 1.2.2

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

2 messages Options

Chris Uppal-3

zlib 1.2.2

FYI

Appended is an anouncement of a security problem in zlib, that was posted to
BugTraq today.

People using the 'official' zlib1.dll (as my own zlib-based stuff does) will
find an updated dll at the site mentioned (which I haven't tested yet). People
using differently packaged versions of zlib would be well advised (at least if
they are not in control of the input to zlib) to check with whoever supplied
the version they are using.

BTW, its a 'denial of service' attack -- i.e. its possible to crash an
application using zlib -- not a remote execution attack.

-- chris

===================================

Security guardians,

zlib 1.2.2 has been released, which remedies a vulnerability to a
denial-of-service attack ( http://www.kb.cert.org/vuls/id/238678 ).
You can get the latest release here:

http://www.zlib.net/

Note that the "canonical" zlib site at http://www.zlib.org/ has yet to
be updated by the owner, Jean-loup Gailly, and still shows zlib 1.2.1.
You should go to the above site for the latest release. My gpg
signature on the zlib-1.2.2.tar.gz is attached below.

Mark Adler

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQBBYMGieD/Njli8r7oRAvHKAJ9zK6T7xrX/1pNSYAHWlyW4JRgC8gCg8omS
1EgmRUAJmthccZ3/ot8ceB0=
=1fnD
-----END PGP SIGNATURE-----

Sebastián Sastre

Re: zlib 1.2.2

Just to be aware,

I had some problems with different version of zlib. Some of them worked
well with XP but do not in an old pentium with win98se. The most widely
"trouble free" I've found was the dll with date 11.18.2003

regards,

Seb

"Chris Uppal" <[hidden email]> escribió en el
mensaje news:[hidden email]...
> FYI
>
> Appended is an anouncement of a security problem in zlib, that was posted
to
> BugTraq today.
>
> People using the 'official' zlib1.dll (as my own zlib-based stuff does)
will
> find an updated dll at the site mentioned (which I haven't tested yet).
People
> using differently packaged versions of zlib would be well advised (at
least if
> they are not in control of the input to zlib) to check with whoever
supplied

> the version they are using.
>
> BTW, its a 'denial of service' attack -- i.e. its possible to crash an
> application using zlib -- not a remote execution attack.
>
> -- chris
>
>
> ===================================
>
> Security guardians,
>
> zlib 1.2.2 has been released, which remedies a vulnerability to a
> denial-of-service attack ( http://www.kb.cert.org/vuls/id/238678 ).
> You can get the latest release here:
>
> http://www.zlib.net/
>
> Note that the "canonical" zlib site at http://www.zlib.org/ has yet to
> be updated by the owner, Jean-loup Gailly, and still shows zlib 1.2.1.
> You should go to the above site for the latest release. My gpg
> signature on the zlib-1.2.2.tar.gz is attached below.
>
> Mark Adler
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (Darwin)
>
> iD8DBQBBYMGieD/Njli8r7oRAvHKAJ9zK6T7xrX/1pNSYAHWlyW4JRgC8gCg8omS
> 1EgmRUAJmthccZ3/ot8ceB0=
> =1fnD
> -----END PGP SIGNATURE-----
>
>
>