Bug 184592 - dev-lang/erlang bundles internal zlib (CVE-2004-0797, CVE-2005-1849)
|
Bug#:
184592
|
Product: Gentoo Linux
|
Version: unspecified
|
Platform: All
|
|
OS/Version: All
|
Status: RESOLVED
|
Severity: normal
|
Priority: P1
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: fauli@gentoo.org
|
|
Component: Security
|
|
|
URL:
|
|
Summary: dev-lang/erlang bundles internal zlib (CVE-2004-0797, CVE-2005-1849)
|
|
Keywords:
|
|
Status Whiteboard: B3 [noglsa]
|
|
Opened: 2007-07-08 10:43 0000
|
After becoming aware that erlang ships its internal copy of zlib (thanks to
flameeyes), I checked the version included. Current stable 11.2.1 has zlib
1.1.4 while the latest in testing (11.2.5) has 2.2.3 (current zlib). Between
that there have been fixed at least two security issues.
See bug 99751 (A1) and bug 61749 (A3). As zlib is patched, I cannot simply
remove it and build against the system one, but upstream promised me to enable
that in version 12.
My proposal: Stabilise 11.2.5 immediately (no bug reports in the few days it
has been in the tree).
Arches please stabilise dev-lang/erlang-11.2.5
Changing status, as all arches are stable
Thx Opfer.
I tend to vote NO.
CVE-2005-1849 and CVE-2004-0797 from the two originally cited zlib bugs are
both denial-of-service attacks which IMHO means that this one is severity B3.
Thanks Ulrich. I vote NO.
closing without glsa then. Feel free to reopen if you disagree, as always :)
