<snip> Version 1.2.2 eliminates a potential security vulnerability in zlib 1.2.1, so all users of 1.2.1 should upgrade immediately. The following important fixes are provided in zlib 1.2.2: * Eliminate a potential security vulnerability when decoding invalid compressed data * Fix bug when decompressing dynamic blocks with no distance codes * Do not return an error when using gzread() on an empty file </snip> Vulnerability was fixed in bug 61749.
i just went to zlib's homepage and saw no mention of 1.2.2 nor is 1.2.2 at the normal download locations re-open once 1.2.2 does become available
seems they've posted the info
*** Bug 69988 has been marked as a duplicate of this bug. ***
updated in cvs, thanks :)
Just for the archive: there is http://zlib.net and http://zlib.org (which redirects to http://www.gzip.org/zlib/). Somehow the .org page is still not updated. And I don't know how those pages are related anyway.
http://www.gzip.org/zlib/ is supposed to be the official page with http://www.zlib.net/ being the mirror. http://www.zlib.org/ is a pointer to http://www.gzip.org/zlib/. I wanted to make sure zlib 1.2.2 was official, so I wrote zlib@gzip.org and asked since it wasn't on the official page. This response is from Mark Adler, co-author of zlib On Nov 1, 2004, at 2:42 AM, jdratlif@indiana.edu wrote: > I want to know if this is an official site and I should trust this, > because the official site seems to be gzip.org/zlib. Yes, zlib.net is official, and 1.2.2 is the latest version. Unfortunately, we have not been able to get in touch with Jean-loup to update the gzip.org site. mark
