httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <gst...@lyra.org>
Subject Re: FW: zlib vulnerability
Date Tue, 12 Mar 2002 00:58:00 GMT
Recommend that people upgrade, but the vulnerability is *VERY* small. This
is merely talking about corruption of malloc structures. To map that into an
*application* is practically impossible. It highly depends upon the sequence
of malloc() calls, sizes, etc.

IOW, we do nothing but recommend zlib 1.1.4. As an aid, we could have an
autoconf test for the version and issue a warning. But I don't see code
changes needed.

Cheers,
-g

On Mon, Mar 11, 2002 at 03:41:13PM -0800, Ryan Bloom wrote:
> We should probably do something about this, but I'm not sure what.
> 
> Ryan
>...
> -----Original Message-----
> From: GOMEZ Henri [mailto:hgomez@slib.fr] 
> Sent: Monday, March 11, 2002 3:54 PM
> To: Ryan Bloom
> Subject: zlib vulnerability
> 
> Hi Ryan,
> 
> Sorry to disturb you but a quick note to warn you
> about a vulnerability in zlib (which may be used in 
> Apache 2.0 code).
> 
> http://www.gzip.org/zlib/advisory-2002-03-11.txt
> 
> Regards
> 
> -
> Henri Gomez                 ___[_]____
> EMAIL : hgomez@slib.fr        (. .)                     
> PGP KEY : 697ECEDD    ...oOOo..(_)..oOOo...
> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 

-- 
Greg Stein, http://www.lyra.org/

Mime
View raw message