[24634] in bugtraq
Re: security problem fixed in zlib 1.1.4
daemon@ATHENA.MIT.EDU (Neil W Rickert)
Tue Mar 12 14:12:34 2002
To: bugtraq@securityfocus.com
In-Reply-To: Message from Jean-loup Gailly <jloup@gzip.org>
of "Mon, 11 Mar 2002 22:00:21 +0100." <15501.6885.557609.342477@kerla.poseidon-tech.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 11 Mar 2002 19:13:12 -0600
Message-ID: <12790.1015895592@euclid.cs.niu.edu>
From: Neil W Rickert <rickert+bt@cs.niu.edu>
Jean-loup Gailly <jloup@gzip.org> wrote:
>Zlib Advisory 2002-03-11
>zlib Compression Library Corrupts malloc Data Structures via Double Free
A quick note.
Checking the source code from ssh.com, it appears that ssh-1.2.33
comes with included zlib-1.0.4, and ssh-3.1.0 comes with included
zlib-1.1.3 .
Possibly both are vulnerable.
With OpenSSH, you supply a separately installed zlib. Presumably
versions compiled before today, including those built to handle
the channel.c problem may be vulnerable to the zlib problem.
It would be a sensible idea for people who compiled OpenSSH-3.1p1
last week to install the new zlib and rebuild OpenSSH.
-NWR
