vulnerable zlib in testing?

Kevin P. Fleming kpfleming at
Sun Sep 12 07:31:41 PDT 2004

Laurens Blankers wrote:

> The following patch was posted to the lfs-security list:
> It is used by both Gentoo and Debian. I have used it when building my 
> LFS 6.0-testing-20040905 system and everything appears to work fine.

This brings up an important point; I would like to see some text in the 
books that tells the user when a package links itself against another 
package's library _statically_.

In this case, I know I can reinstall zlib with the patch, and anything 
that links to will be using the patched version when it next 
gets loaded. What I don't know (conclusively) is which packages in a 
standard LFS install link themselves to libz.a at build time, thus 
necessitating a rebuild of those dependent packages if zlib is 

Honestly, I think this this information could be quite valuable to 
LFS/BLFS book readers/users. Having a library listed as a dependency is 
nice, but it would be very useful to have those "special" dependencies 
marked in the book, so that users will know what needs to be done when 
an update is installed.

Is this overkill for the books, or outside the scope/mission of the books?

More information about the lfs-dev mailing list