184592 2007-07-08 10:43 0000 dev-lang/erlang bundles internal zlib (CVE-2004-0797, CVE-2005-1849) 2007-07-24 11:32:04 0000 1 1 1 Unclassified Gentoo Linux Security unspecified All All RESOLVED FIXED B3 [noglsa] P1 normal --- 1 fauli@gentoo.org security@gentoo.org emacs@gentoo.org lang-misc@gentoo.org fauli@gentoo.org 2007-07-08 10:43:31 0000 After becoming aware that erlang ships its internal copy of zlib (thanks to flameeyes), I checked the version included. Current stable 11.2.1 has zlib 1.1.4 while the latest in testing (11.2.5) has 2.2.3 (current zlib). Between that there have been fixed at least two security issues. See bug 99751 (A1) and bug 61749 (A3). As zlib is patched, I cannot simply remove it and build against the system one, but upstream promised me to enable that in version 12. My proposal: Stabilise 11.2.5 immediately (no bug reports in the few days it has been in the tree). fauli@gentoo.org 2007-07-14 13:34:37 0000 Arches please stabilise dev-lang/erlang-11.2.5 dertobi123@gentoo.org 2007-07-15 22:01:23 0000 ppc stable gustavoz@gentoo.org 2007-07-17 21:47:56 0000 sparc stable. fauli@gentoo.org 2007-07-18 05:48:26 0000 Changing status, as all arches are stable jaervosz@gentoo.org 2007-07-18 06:07:13 0000 Thx Opfer. I tend to vote NO. ulm@gentoo.org 2007-07-18 06:43:36 0000 CVE-2005-1849 and CVE-2004-0797 from the two originally cited zlib bugs are both denial-of-service attacks which IMHO means that this one is severity B3. py@gentoo.org 2007-07-18 07:34:59 0000 Thanks Ulrich. I vote NO. aetius@gentoo.org 2007-07-24 10:56:47 0000 I vote no. py@gentoo.org 2007-07-24 11:32:04 0000 closing without glsa then. Feel free to reopen if you disagree, as always :)