mailing list archives
Re: about zlib vulnerability
From: Paul Wouters <paul () xtdnet nl>
Date: Fri, 15 Mar 2002 01:16:41 +0100 (MET)
On Thu, 14 Mar 2002, tele wrote:
The vulnerable zlib 1.1.3 code can be even found on the freeswan
1.95 source tree and previous versions, therefore there's a
potential vulnerability at kernel level; besides at the web site
http://www.freeswan.org the problem is not properly treated.
From the Freeswan list:
Henry Spencer <henry () spsystems net> wrote:
The FreeS/WAN project classes this bug as non-critical, because an IPsec
packet must pass authentication (and be successfully decrypted) before our
copy of zlib is asked to decompress it, even if the configuration permits
compression (which the default ones do not). This greatly limits real
exposure as a result of this bug.
Our next release (1.97, expected at the beginning of April) will
incorporate the fix.