Home » Mailing list archives » netbsd-announce » 2005 » July » 11

NetBSD Security Advisory NetBSD-SN20050708-1: NetBSD base system not vulnerable to zlib overflow

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: NetBSD Security-Officer <security-officer@...>
Subject: NetBSD Security Advisory NetBSD-SN20050708-1: NetBSD base system not vulnerable to zlib overflow
Date: Monday, July 11, 2005 - 12:31 pm

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1


		 NetBSD Security Note 20050708-1

		 ===============================


Topic:		NetBSD base system not vulnerable to zlib overflow

		pkgsrc did provide vulnerable versions


A zlib buffer overflow has been announced. 


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2005-2096


The NetBSD Security Officer team was aware of this issue, and would

like to reassure users that the NetBSD base system is not vulnerable. 


The bug was introduced in changes to zlib after 1.1.4, the latest

version supplied in the base install of NetBSD.


The vulnerable version, 1.2.2 has been available from pkgsrc. 


Users of the audit-packages tool will already have noticed that version

is marked as vulnerable, and the 1.2.2nb1 update addresses the issue.


Other pkgsrc users are encouraged to update devel/zlib to 1.2.2nb1, as

well as to take advantage of the security/audit-packages infrastructure.


Thanks To

=========


Tavis Ormandy

Colin Percival

Mark Adler

Matthias Drochner

Matthias Scheler


More Information

================


Information about NetBSD and NetBSD security can be found at

http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2005, The NetBSD Foundation, Inc.  All Rights Reserved.

Redistribution permitted only in full, unmodified form.


$NetBSD: NetBSD-SN20050708-1.txt,v 1.1 2005/07/08 15:54:11 david Exp $


-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.1 (NetBSD)


iQCVAwUBQs6+TD5Ru2/4N2IFAQI9HAQAvT7R6nDbr+xDroAXYkZrs2zdI9gkIStc

UswbbKNP1G8D90h4nIKrXtvNyG+e4squRtawLB06Fylu+OkielUWeTPIzzwmef0V

qWqWBxg1EWM2WigyDS/SmA6lrQt+dgJ4bfX0IiwakBItdM6v5yScB9svI4qi0aNl

n8+PU7IvbGU=

=PWU8

-----END PGP SIGNATURE-----
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
NetBSD Fundraising Campaign 2007, Mindaugas Rasiukevicius, (Tue Aug 14, 3:34 pm)
New NetBSD/amd64 snapshot, Frank van der Linden, (Sat May 10, 2:38 pm)
NetBSD logo design competition, Luke Mewburn, (Tue Jan 13, 8:46 pm)
NetBSD Security Advisory 2004-009: ftpd root escalation, NetBSD Security-Officer, (Tue Aug 17, 1:48 pm)
Quarterly Status Report: July - September 2004, Jan Schaumann, (Tue Oct 5, 1:24 pm)
Announcing the release of NetBSD 2.0, James Chacon, (Thu Dec 9, 4:30 pm)
mail-index.NetBSD.org has been revamped, S.P.Zeidler, (Mon Feb 11, 6:00 pm)
NetBSD Quarterly Status Report - 2005Q1, Jan Schaumann, (Fri Apr 8, 12:45 pm)
How to help NetBSD help you., Thor Lancelot Simon, (Sun Jun 12, 5:55 pm)
NetBSD Security Advisory NetBSD-SN20050708-1: NetBSD base sy..., NetBSD Security-Officer, (Mon Jul 11, 12:31 pm)
NetBSD and the Google "Summer of Code" Summary, Jan Schaumann, (Sun Oct 16, 1:56 pm)
More interviews about packaging systems , Mark Weinem, (Thu Mar 13, 9:31 pm)
The NetBSD Foundation Moves to a Two Clause BSD License, Alistair Crooks, (Fri Jun 20, 12:10 pm)
NetBSD Security Advisory 2009-008: OpenSSL ASN1 parsing deni..., NetBSD Security Officer, (Wed Jul 8, 12:45 am)
The pkgsrc-2008Q4 Release, Alistair Crooks, (Mon Jan 12, 2:09 am)
NetBSD Status Report: July - December 2005, Jan Schaumann, (Tue Jan 31, 11:01 am)
Announce: NetBSD gets permission to incorporate POSIX(R) mat..., Hubert Feyrer, (Wed Feb 15, 4:14 pm)
cvsweb is temporarily offline, SODA Noriyuki, (Mon Mar 27, 9:03 am)
NetBSD 4.0 release cycle, Martin Husemann, (Tue Apr 11, 2:49 pm)
Summary of Changes to the NetBSD Packages Collection in Febr..., Alistair Crooks, (Fri Mar 22, 4:32 pm)
NetBSD feature end-of-life announcement: soft dependencies, Andrew Doran, (Sat Dec 13, 5:51 pm)
upgrade openssh to 3.3, or 3.2.1 + privilege separation, , (Mon Jun 24, 10:29 pm)
NetBSD Security Advisory 2006-016: IPv6 socket options can c..., NetBSD Security-Officer, (Thu Jun 8, 5:43 pm)
NetBSD 5.0_RC4 binaries available for download, Soren Jacobsen, (Thu Apr 16, 3:46 pm)
NetBSD Security Advisory 2006-018: sail(6), dm(8) and tetris..., NetBSD Security-Officer, (Thu Aug 10, 4:30 pm)
NetBSD Security Advisory 2008-010: Malicious PPPoE discovery..., NetBSD Security-Officer, (Tue Aug 26, 10:12 am)
NetBSD 5.0_RC3 binaries available for download, Soren Jacobsen, (Sat Mar 21, 4:49 pm)
Anonymous CVS users please note: modules are being merged, Perry E. Metzger, (Thu Dec 19, 12:56 pm)
(unknown), John Nemeth, (Wed May 16, 2:40 pm)
The pkgsrc-2007Q2 Release, Alistair Crooks, (Sun Jul 1, 6:29 am)
Re: cvsweb is temporarily offline, SODA Noriyuki, (Tue Mar 28, 4:41 am)