OSNews

Updating my suse system, just before I browsed. I found the zlib updates, and applied them! Then I browsed to read about the security hole

Long live OSS, MS takes what months to fix their shit

This hasn't happened since the MAndrake 8.x days. I remember having to update almost the entire system, because so much depends on zlib. This should be fun on Gentoo. I guess it is time to emerge sync.

not to troll...

since we have discussed before the pros/cons of ways to handle packages with some distros rolling everything into one package, i think gobo linux and pc-bsd or something....

And as was mentioned before instead of one hole in your operating system you would have numerous occurances. Here is one shining example...is it not?

I actually learned about the vulnerability when I saw that there was a updated zlib package for Ubuntu.

I have to say I'm quite pleased with the speed of updates on this distro.

To the anonymous troll: do you view security flaws in Windows as a failure of the closed-source software model?

If I get it right, FreeBSD had it fixed for about a month already.

Ah no, that was for gzip problem.

Makes it again obvious how important early warning and the means of updating is.

YHBT.

I don't think there's been a month of my linux-using life yet where zlib hasn't had a vulnerability....

Seriously, this library just seems to be ridden with security and/or stability issues.

RedHat seems to replace it constantly.

first - i make a montion to ban (IP: 66.98.198.---)

second - software is written by humans, therefore fallible.... security comes into question when something is discovered and not fixed, shall we bet who has it fixed first. And should we bet who will KNOW they have it fixed the open source systems that have to update one library or the closed-source systems that have it rolled into a bunch of different programs? Do they know what all programs have it, what about third party closed-source programs that use it? How will M$ update some program you downloaded from the web that happens to use the library...they WONT!

open source has reqponded to the threat and due to better design it will be a simple fix, M$ on the other hand....go figure...

can I second the motion as well...

Well, I am on Suse 9.2. I am using gwdg as a source. So, it may not be really official

Anybody hear when the source code is released? I have about half a dozen linux/unix and solaris boxes to upgrade.

Hadn't read this story, but I noticed it was fixed on my Ubuntu desktop machine and Debian server when I checked for updates a couple of hours ago. Certainly fast work, a good example of how free software folks can get their act together when it's something this critical. Still got a FreeBSD machine to do tomorrow when I get around to it, but the advisory is already on their website as well.

Now I just need to wait for Apple, who will hopefully have an update available tomorrow morning.

The article says:

"Mark Adler [a Zlib co-author] responded to my report with a patch"

Does anyone know where the zlib team has posted the patch at?

Hmmmm... The update found by an OSS team auditing the source code. They make a fix in a couple of minutes, then pass it on to the original author, who double checks everything and in less than a day they've got a verified patch that's picked up by major distributors and disseminated. Since only the library needs to be replaced, it's a small fix.

Meanwhile, MS is "looking into it". Since zlib is statically linked into many of their executables, I suspect the "looking" involves decising whether or not it's worth the hassle of fixing now or waiting to see if they can roll it into the next service pack.

Ok, this is getting rediculous. Zlib has a flaw and it gets patched. One small little program. This is a 3rd party library that linux distros include. It's not created from the linux kernel hackers or distro makers themselves. So how does the speed this is being patched compare to Microsoft releasing patches for a whole operating system instead of one small program? It doesn't at all. You are comparing a 3rd party to the vendor. Apples and oranges.

> So how does the speed this is being patched compare
> to Microsoft releasing patches for a whole
> operating system instead of one small program?

a) statically linking is lame unless it's in a kernel or rescue app, mmmmk?
b) if it affects MS products, a patch should come fast
c) most every other vendor using zlib has responded
d) microsoft keeps shouting "WE ARE MORE SECURE" from rooftop

For reference, I run Gentoo Linux.

scylla# ls -l /lib/libz*2
-rwxr-xr-x 1 root root 69768 Jul 6 11:12 /lib/libz.so.1.2.2

That's right, the date says yesterday @ 11:12am.

Every second that there isn't patching for MS' products is another strike against them.

s/Apache/Windows/
s/Red Hat/Microsoft/

What is being lost in all the comparisons with MS is that this vulnerability was discovered by Tavis Ormandy of the Gentoo Linux Security Audit Team. For those who don't understand: He was performing a security audit of the code - something that very few vendors do of their own stuff, even when they charge an arm and a leg for their crapware.

FC4 has the fix available I just ran "yum update" and it's taken care of :-)

Unfortunately I don't think debian sarge is going to be able to jump quickly on this one with their current security issues :-(

I have agree, but it's just not open source, but the whole source (close, open, etc) together. So I wouldnt single out open source model as a failar at all. I put a plus 1 for your comment since a troll gave you -5.

I work primarily as a closed-sourced developer, and I can attest, after seeing MANY thousands of lines closed-source code, that open source code is normally of a much higher quality. It is simply amazing to me the number of $1,000,000 projects that consist of code with no real coding standards - poor indentation, poorly-named variables, etc. When I look at the code to open-source programs I have to compile, I see none of this.

I believe you should implement a new feature in OSNews 3.1.

There should be a ban person button under each comment. People using anonymizer.com or not logged in should not be able to use this. It should only allow one click per IP address per post. If more than 30 people click to ban someone from the site in a certain time period, their ip address should be completely blocked access. I don't think we should have to wade through some of the posts being put on this forum, espescially people who are subscribers (I'll admit I'm not, and never will be until this problem is fixed).

Even if people don't end up getting banned, it will keep them in-line.

If you load up a new WinXP install and go to Windows Update and load all the updates, count how many of them involve resolving problems which otherwise could have lead to a remote system compromise. <tin foil hat conspiracy time> There's tons of them. I wonder if they're really bugs at all or just publically discovered backdoors.</tin foil hat>

Thank god modern Linux distros don't suffer from all these remote compromise holes.

Of course it was the security team of the best distro around that found the flaw

CAN-2005-2096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096

DSA-740
http://www.debian.org/security/2005/dsa-740

FreeBSD-SA-05:16
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:16...

GLSA-200507-05
http://www.gentoo.org/security/en/glsa/glsa-200507-05.xml

RHSA-2005:569
http://rhn.redhat.com/errata/RHSA-2005-569.html

SUSE-SA:2005:039
http://www.novell.com/linux/security/advisories/2005_39_zlib.html

USN-148-1
http://www.ubuntulinux.org/support/documentation/usn/usn-148-1

Please, somebody provides reference to Microsoft's security advisories.

I think there is a difference between bugs and vulnerabilities...

Bugs are those problems of a software that affect users, either something is malfunctioning or displaying unexpected behaviour, during the software's expected usage.

Vulnerabilities are usually those potential holes of a software where malicious people can write speicific code attacking such holes to achieve their specific purpose.

Compared to bugs that can be prevented or removed through extensive testing from programmers and users, vulnerabilities are usually more difficult to be detected. This is not only because the fact that most programmers are not malicious people ;D , but also because people usually have a set of assumptions and don't usually foresee problems that may have if these assumptions have not been met.

It's like, bakers have to make sure the bread they bake is safe to eat, delicious and good-looking. But it's just difficult for them to foresee (or do anything) to stop malicious people from adding in poisons to the bread intentionally to kill someone.

If the world is so perfect, London's police and intelligence departments could have stopped Bin Laden's bombers before anything happens. As always, things can be improved, but even god is so powerful, there are still chances where devil comes in and mess things up. So, please do not blame the programmers (either Microsoft's or not) for not being as thoughtful as Bin Laden...

However, the zlib example demonstrates how bugs and vulnerabilities of commonly used shared libraries can pose widespread and serious risks... the world will need discussions on how better methodologies or procedures can be implemented to eliminate such risks if things do go wrong.

and Mandriva MDKSA-2005:112, dated July 6th like the others. I think there was some sort of collaboration between Linux vendors on releasing a fix simultaneously (that's my guess, not fact...)

Obviously there is quality control. But maybe it should have taken place before release. A lot of programmers have used the library before sufficient quality control.

No products are ever perfect -- I agree on that. But a library which is designed to be used by many different applications should be of a better quality than the average software. The OpenBSD team have shown the way!

Not all programs need to be designed with security in mind. But many do.

I am not blaming the programmers who created the library. But if programmers use libraries without doing anything to assess the quality, they should be aware of the risks. So you have to either trust the team that made the library, check if anyone else have controlled the software, or check it yourself (or live with the uncertainty).