vulnerable zlib in testing?

Matthew Burgess matthew at
Sun Sep 12 07:41:23 PDT 2004

On Sun, 12 Sep 2004 07:31:41 -0700
"Kevin P. Fleming" <kpfleming at> wrote:

> Laurens Blankers wrote:
> > The following patch was posted to the lfs-security list:
> > 
> >
> > 
> > It is used by both Gentoo and Debian. I have used it when building
> > my 
> > LFS 6.0-testing-20040905 system and everything appears to work fine.
> This brings up an important point; I would like to see some text in
> the 
> books that tells the user when a package links itself against another 
> package's library _statically_.

I'll leave that for future discussion.  I don't see why we can't do this
- other than needing a script that will tell us that kind of
information of course.

> In this case, I know I can reinstall zlib with the patch, and anything
> that links to will be using the patched version when it next 
> gets loaded. What I don't know (conclusively) is which packages in a 
> standard LFS install link themselves to libz.a at build time, thus 
> necessitating a rebuild of those dependent packages if zlib is 
> updated/upgraded.
 Of course, this is particular to zlib, but it should help out with your
immediate concerns.



More information about the lfs-dev mailing list