Re: about zlib vulnerability

From: Paul Wouters (paulat_private)
Date: Thu Mar 14 2002 - 16:16:41 PST

Next message: Pavel Kankovsky: "Re: [RHSA-2002:026-35] Vulnerability in zlib library"

Previous message: tele: "about zlib vulnerability"
In reply to: tele: "about zlib vulnerability"
Next in thread: Davis Ray Sickmon, Jr: "Re: about zlib vulnerability - Microsoft products"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 14 Mar 2002, tele wrote:

> The vulnerable zlib 1.1.3 code can be even found on the freeswan
> 1.95 source tree and previous versions, therefore there's a
> potential vulnerability at kernel level; besides at the web site
> http://www.freeswan.org the problem is not properly treated.

From the Freeswan list:

Henry Spencer <henryat_private> wrote:
  
> The FreeS/WAN project classes this bug as non-critical, because an IPsec
> packet must pass authentication (and be successfully decrypted) before our
> copy of zlib is asked to decompress it, even if the configuration permits
> compression (which the default ones do not).  This greatly limits real
> exposure as a result of this bug.
>
> Our next release (1.97, expected at the beginning of April) will
> incorporate the fix.            

Paul

Next message: Pavel Kankovsky: "Re: [RHSA-2002:026-35] Vulnerability in zlib library"
Previous message: tele: "about zlib vulnerability"
In reply to: tele: "about zlib vulnerability"
Next in thread: Davis Ray Sickmon, Jr: "Re: about zlib vulnerability - Microsoft products"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 14 2002 - 16:38:32 PST