vulnerable zlib in testing?

Igor Zivkovic igor at
Sun Sep 12 09:08:19 PDT 2004

Matthew Burgess wrote:
> "Kevin P. Fleming" <kpfleming at> wrote:
>> I am more concerned about CVS having an embedded zlib, and it not
>> being the one that we build as part of LFS. Should we change the book
>> to force CVS to use the system's zlib, even if it still links
>> statically?
> Well, yes, but that's a BLFS issue of course - last time I looked we
> didn't install CVS as part of an _LFS_ install :)  Anyway, for what it's
> worth I've just installed the latest version of CVS and it still links
> to the in-tree zlib (1.1.4) statically.  Moreover, I didn't see a switch
> to ./configure that enables one to use the system installed zlib.  This
> particular DoS is only applicable to 1.2.x versions anyway, but then
> 1.1.4 is prone to other security issues anyhow!

We used to have the patch for CVS in the book until it was decided to
only keep required patches i.e. the ones that fix broken functionality.

Personally, I'd like to see this one back in the book.

Igor Zivkovic

More information about the lfs-dev mailing list