vulnerable zlib in testing?
Kevin P. Fleming
kpfleming at linuxfromscratch.org
Sun Sep 12 07:31:41 PDT 2004
Laurens Blankers wrote:
> The following patch was posted to the lfs-security list:
> It is used by both Gentoo and Debian. I have used it when building my
> LFS 6.0-testing-20040905 system and everything appears to work fine.
This brings up an important point; I would like to see some text in the
books that tells the user when a package links itself against another
package's library _statically_.
In this case, I know I can reinstall zlib with the patch, and anything
that links to libz.so will be using the patched version when it next
gets loaded. What I don't know (conclusively) is which packages in a
standard LFS install link themselves to libz.a at build time, thus
necessitating a rebuild of those dependent packages if zlib is
Honestly, I think this this information could be quite valuable to
LFS/BLFS book readers/users. Having a library listed as a dependency is
nice, but it would be very useful to have those "special" dependencies
marked in the book, so that users will know what needs to be done when
an update is installed.
Is this overkill for the books, or outside the scope/mission of the books?
More information about the lfs-dev