RE: 1st security warning: "installed zlib version may contain asecurity bug"

• Previous message: Giorgos Keramidas: "Re: having 1.5GB RAM I cannot allocate more than 512MB RAM in 4.10"
• In reply to: Lowell Gilbert: "Re: 1st security warning: "installed zlib version may contain a security bug""
• Next in thread: Ted Mittelstaedt: "RE: 1st security warning: "installed zlib version may containasecurity bug""
• Reply: Ted Mittelstaedt: "RE: 1st security warning: "installed zlib version may containasecurity bug""
• Reply: Mark: "RE: 1st security warning: "installed zlib version may containasecurity bug""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: "Lowell Gilbert" <freebsd-questions-local@be-well.ilk.org>, "Timothy Luoma" <lists@tntluoma.com>
Date: Sun, 30 Jan 2005 16:39:24 -0800

> -----Original Message-----
> From: owner-freebsd-questions@freebsd.org
> [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Lowell Gilbert
> Sent: Sunday, January 30, 2005 7:38 AM
> To: Timothy Luoma
> Cc: FreeBSD-Questions Questions
> Subject: Re: 1st security warning: "installed zlib version may contain
> asecurity bug"
>
>
> Timothy Luoma <lists@tntluoma.com> writes:
>
> > I was trying to configure && make 'clamav-0.81' when it complained
> > about this:
> >
> > configure: error: The installed zlib version may contain a security
> > bug. Please upgrade to 1.2.2 or later: http://www.zlib.net. You can
> > omit this check with --disable-zlib-vcheck but DO NOT REPORT any
> > stablility issues then!
> >
> > I went to zlib.net, downloaded 1.2.2, did './configure &&
> make install
> > clean'
> >
> > Is that all I need to do? This is my first "security warning" so I
> > want to make sure I'm not missing something obvious.
>
> It sounds like you're missing the ports collection, to begin with. It
> will handle dependencies for you, a big help in upgrades.

Lowell,

Considering that /ports/security/clamav was only updated to
clamav 0.81 6 hours ago it is quite expected that the OP would
have tried building this himself.

  And you
> should try to use the FreeBSD base system upgrades and security
> advisories for keeping up on security issues, rather than trying to
> install bits and pieces yourself (unlike, say, Linux, FreeBSD is a
> whole operating system).
>

zlib is part of the base OS it should be at version 1.2.2 in FreeBSD
4.11R,
since version 1.2.2 was released in October 2004.

However, all prior FreeBSD will be at 1.2.1. And furthermore there is
NO current security advisory on zlib for FreeBSD. I might also point
out that http://www.gzip.org/zlib/ still shows the old zlib.

This is an easy fix. Download zlib 1.2.2 from http://www.zlib.net
and build it according to the instructions and install it in
/usr/local. Temporarily rename /usr/lib/libz.a, /usr/lib/libz.so,
/usr/lib/libz.so.2, and /usr/lib/libz_p.a to backup files, build
clamav (this will shutup clamav and allow it to build) then
rename them back.

Keep in mind that this WILL NOT fix the zlib security hole in
the system. zlib is probably linked into a number of utilities
on your system and a proper fix would be to replace the zlib
library, and recompile all the utilities in the system that
are linked into the static library.

Ted

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

• Previous message: Giorgos Keramidas: "Re: having 1.5GB RAM I cannot allocate more than 512MB RAM in 4.10"
• In reply to: Lowell Gilbert: "Re: 1st security warning: "installed zlib version may contain a security bug""
• Next in thread: Ted Mittelstaedt: "RE: 1st security warning: "installed zlib version may containasecurity bug""
• Reply: Ted Mittelstaedt: "RE: 1st security warning: "installed zlib version may containasecurity bug""
• Reply: Mark: "RE: 1st security warning: "installed zlib version may containasecurity bug""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: "sh -i" My server was hacked. How can i found hole on my server? ... Then make a clean install from disc. ... Check You FreeBSD version in uname -a. ... upgraded to the appropriate security branch? ... look for security advisories on the project ... (FreeBSD-Security) Re: security fixes ... disclosure of a security issue, ... Who, on the FreeBSD Core Team, might make the decision ... >> a secure system to have to install from -STABLE snapshots, ... > of course we don't want a person who wants a secure system to install from ... (FreeBSD-Security) Re: Asking the experts. . . ... First security tip: don't run PHP. ... install portaudit and update your ports when it identifies an issue. ... FreeBSD is likely to perform fine for a wide variety of loads, ... IMAP supports people reading mail from multiple clients, ... (freebsd-questions) Re: Abandoned Redhat customer needs advice ... > For servers, I favour a minimalist approach (nothing unnecessary, and ... > like the wind even on cheap/old hardware, and is pretty simple to install, ... Keeping up with security updates is very ... I downloaded Freebsd 4.8 some months ago and set it up on a box but have not ... (linux.redhat) Re: BSD derivatives ... claim that security is a top priority of the FreeBSD project. ... Actually to set the record straight, the ath driver is installed by ... Installed by default meaning the card is recognized during FreeBSD setup ... By "installed by default", I mean you install the system ... (freebsd-questions)