1st security warning: "installed zlib version may containasecurity bug"

Ted Mittelstaedt tedm at toybox.placo.com
Sun Jan 30 16:49:08 PST 2005 


> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Ted
> Mittelstaedt
> Sent: Sunday, January 30, 2005 4:39 PM
> To: Lowell Gilbert; Timothy Luoma
> Cc: FreeBSD-Questions Questions
> Subject: RE: 1st security warning: "installed zlib version may
> containasecurity bug"
>
>
>
>
> > -----Original Message-----
> > From: owner-freebsd-questions at freebsd.org
> > [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of
> Lowell Gilbert
> > Sent: Sunday, January 30, 2005 7:38 AM
> > To: Timothy Luoma
> > Cc: FreeBSD-Questions Questions
> > Subject: Re: 1st security warning: "installed zlib version
> may contain
> > asecurity bug"
> >
> >
> > Timothy Luoma <lists at tntluoma.com> writes:
> >
> > > I was trying to configure && make 'clamav-0.81' when it complained
> > > about this:
> > >
> > > configure: error: The installed zlib version may contain a security
> > > bug. Please upgrade to 1.2.2 or later: http://www.zlib.net. You can
> > > omit this check with --disable-zlib-vcheck but DO NOT REPORT any
> > > stablility issues then!
> > >
> > > I went to zlib.net, downloaded 1.2.2, did './configure &&
> > make install
> > > clean'
> > >
> > > Is that all I need to do?  This is my first "security warning" so I
> > > want to make sure I'm not missing something obvious.
> >
> > It sounds like you're missing the ports collection, to begin
> with.  It
> > will handle dependencies for you, a big help in upgrades.
>
> Lowell,
>
> Considering that /ports/security/clamav was only updated to
> clamav 0.81 6 hours ago it is quite expected that the OP would
> have tried building this himself.
>
>   And you
> > should try to use the FreeBSD base system upgrades and security
> > advisories for keeping up on security issues, rather than trying to
> > install bits and pieces yourself (unlike, say, Linux, FreeBSD is a
> > whole operating system).
> >
>
> zlib is part of the base OS it should be at version 1.2.2 in FreeBSD
> 4.11R,
> since version 1.2.2 was released in October 2004.
>

Oops, belay this - the version of zlib in FreeBSD is much older and
is not vulnerable.

clamav is the problem - the check they are making is assuming that
any zlib implementation that is not 1.2.2 is vulnerable.  The hack
that I gave will work to get clamav built on your system - but there
is no need to update the zlib libraries.

Ted

More information about the freebsd-questions mailing list