vulnerable zlib in testing?

Matthew Burgess matthew at linuxfromscratch.org
Sun Sep 12 08:20:20 PDT 2004


On Sun, 12 Sep 2004 08:00:11 -0700
"Kevin P. Fleming" <kpfleming at linuxfromscratch.org> wrote:

> I am more concerned about CVS having an embedded zlib, and it not
> being the one that we build as part of LFS. Should we change the book
> to force CVS to use the system's zlib, even if it still links
> statically?

Well, yes, but that's a BLFS issue of course - last time I looked we
didn't install CVS as part of an _LFS_ install :)  Anyway, for what it's
worth I've just installed the latest version of CVS and it still links
to the in-tree zlib (1.1.4) statically.  Moreover, I didn't see a switch
to ./configure that enables one to use the system installed zlib.  This
particular DoS is only applicable to 1.2.x versions anyway, but then
1.1.4 is prone to other security issues anyhow!

Matt.




More information about the lfs-dev mailing list