First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 184592
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Christian Faulhammer <fauli@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 184592 depends on: Show dependency tree
Bug 184592 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-07-08 10:43 0000 
After becoming aware that erlang ships its internal copy of zlib (thanks to
flameeyes), I checked the version included.  Current stable 11.2.1 has zlib
1.1.4 while the latest in testing (11.2.5) has 2.2.3 (current zlib).  Between
that there have been fixed at least two security issues. 

See bug 99751 (A1) and bug 61749 (A3).  As zlib is patched, I cannot simply
remove it and build against the system one, but upstream promised me to enable
that in version 12. 

My proposal: Stabilise 11.2.5 immediately (no bug reports in the few days it
has been in the tree).

------- Comment #1 From Christian Faulhammer 2007-07-14 13:34:37 0000 ------- 
Arches please stabilise dev-lang/erlang-11.2.5

------- Comment #2 From Tobias Scherbaum 2007-07-15 22:01:23 0000 ------- 
ppc stable

------- Comment #3 From Gustavo Zacarias (RETIRED) 2007-07-17 21:47:56 0000 ------- 
sparc stable.

------- Comment #4 From Christian Faulhammer 2007-07-18 05:48:26 0000 ------- 
Changing status, as all arches are stable

------- Comment #5 From Sune Kloppenborg Jeppesen 2007-07-18 06:07:13 0000 ------- 
Thx Opfer.

I tend to vote NO.

------- Comment #6 From Ulrich Müller 2007-07-18 06:43:36 0000 ------- 
CVE-2005-1849 and CVE-2004-0797 from the two originally cited zlib bugs are
both denial-of-service attacks which IMHO means that this one is severity B3.

------- Comment #7 From Pierre-Yves Rofes 2007-07-18 07:34:59 0000 ------- 
Thanks Ulrich. I vote NO.

------- Comment #8 From Matt Drew 2007-07-24 10:56:47 0000 ------- 
I vote no.

------- Comment #9 From Pierre-Yves Rofes 2007-07-24 11:32:04 0000 ------- 
closing without glsa then. Feel free to reopen if you disagree, as always :)
First Last Prev Next    No search results available      Search page      Enter new bug