255123 – www-servers/cherokee bundles an internal copy of zlib-1.1.3

Bug 255123 - www-servers/cherokee bundles an internal copy of zlib-1.1.3

Summary: www-servers/cherokee bundles an internal copy of zlib-1.1.3

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	José Alberto Suárez López (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	bundled-libs
	Show dependency tree

Reported:	2009-01-16 01:49 UTC by Diego Elio Pettenò (RETIRED)
Modified:	2010-06-16 08:30 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Diego Elio Pettenò (RETIRED) gentoo-dev

2009-01-16 01:49:21 UTC

I hope at least it has the vulnerabilities fixed, but it's still pretty un-nice, I can think of a couple very interesting attack patterns actually, if they are not.

Comment 1 Stefan de Konink 2009-01-19 17:47:03 UTC

(In reply to comment #0)
> I hope at least it has the vulnerabilities fixed, but it's still pretty
> un-nice, I can think of a couple very interesting attack patterns actually, if
> they are not.

Can you tell me why you make this such big fuzz? If you simply did a ldd on the binary and library you see that it actually uses the system zlib. So what is your point?

Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev

2009-01-19 17:56:44 UTC

I'd say you should refrain from commenting if you don't even know what ldd output means at all.

Comment 3 José Alberto Suárez López (RETIRED) gentoo-dev

2010-06-16 08:30:20 UTC

This is an upstream desicion, they dont plan to add a new dependency, adn they used the same version embbeded in kernel so it's supposed to be safe