Home > Privacy, Security > Zlib Security Flaw Exposes Swath Of Programs Zlib Security Flaw Exposes Swath Of Programs Andrew Youll 2005-07-07 Privacy, Security 73 Comments A serious security flaw has been identified in Zlib, a widely used data compression library. Fixes have begun to appear, but a large number of programs could be affected. About The Author 73 Comments 2005-07-07 5:08 pm Anonymous Yet another failure of the open source software model. 2005-07-07 5:12 pm Anonymous a library that is used by opensource operating systems as well as closed source ones….. yea, thats a failure…. if anything is a failure it is that the way the closed source operating systems use the library…. i am sure your troll comment will be blasted into oblivion by someone with some votes…. 2005-07-07 5:11 pm Anonymous “Microsoft Corp. and other proprietary software companies also use the library in many programs. These companies can do so because Zlib is licensed under liberal BSD-style license.” Clue. Get one. 2005-07-07 5:13 pm Anonymous Forgive me for replying to either an obvious troll or a completely sarcastic comment; however, this is clearly an example of the power of the open source model as many open source OS projects already have fixes ready for their users. 2005-07-07 5:14 pm Anonymous Updating my suse system, just before I browsed. I found the zlib updates, and applied them! Then I browsed to read about the security hole Long live OSS, MS takes what months to fix their shit 2005-07-07 5:27 pm Thom Holwerda Mmm, the YOU on my SuSE 9.3 doesn’t show any updates at all.. Where did you get it from? What version of SuSE are you running? 2005-07-08 4:35 am Anonymous Look again. The update is available: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/zlib-1.2.2-5…. ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/zlib-devel-1…. ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/zlib-1.2.2-5…. ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/zlib-devel-1…. Check your settings and verify that you are using a valid mirror. 2005-07-07 5:14 pm Anonymous This hasn’t happened since the MAndrake 8.x days. I remember having to update almost the entire system, because so much depends on zlib. This should be fun on Gentoo. I guess it is time to emerge sync. 2005-07-07 5:18 pm Anonymous not to troll… since we have discussed before the pros/cons of ways to handle packages with some distros rolling everything into one package, i think gobo linux and pc-bsd or something…. And as was mentioned before instead of one hole in your operating system you would have numerous occurances. Here is one shining example…is it not? 2005-07-07 6:26 pm hobgoblin most likely your refering to pc-bsd as gobolinux still have the libs seperated from the apps. ie, update ones and you get them all. as long as the update dont break one of them. still, if that happens you can keep the lib around for those few and as they are updated they will no longer use the old one. so eventualy you can remove it. 2005-07-07 5:19 pm Anonymous a library that is used by opensource operating systems as well as closed source ones….. So the lesson is NEVER RELY ON ANY OPEN SOURCE SOFTWARE OR LIBARAY AS IT WILL MOST DEFINATELY BE BUGGY TRASH WRITTEN BY AMATEURS. 2005-07-07 5:23 pm archiesteel I actually learned about the vulnerability when I saw that there was a updated zlib package for Ubuntu. I have to say I’m quite pleased with the speed of updates on this distro. To the anonymous troll: do you view security flaws in Windows as a failure of the closed-source software model? 2005-07-07 5:23 pm Buck If I get it right, FreeBSD had it fixed for about a month already. 2005-07-07 5:24 pm Buck Ah no, that was for gzip problem. 2005-07-07 5:25 pm netpython Makes it again obvious how important early warning and the means of updating is. 2005-07-07 5:26 pm Anonymous To the anonymous troll: do you view security flaws in Windows as a failure of the closed-source software model? I view the security flaws in Windows as a symptom of their over-reliance on open source software. 2005-07-07 5:30 pm Anonymous Including the security flaws that aren’t contained in open source software? I can’t make sense of that argument, could you please help me understand? CaptainN 2005-07-07 8:33 pm Clinton The original poster said that this problem with zlib showed the failures of open-sourced software (or something like that). The poster you are replying to then ask him if he viewed security flaws in Windows (a closed-sourced product) as failures of the closed-source development model. Does that help? 2005-07-07 5:29 pm Anonymous YHBT. 2005-07-07 5:34 pm Anonymous Including the security flaws that aren’t contained in open source software? I can’t make sense of that argument, could you please help me understand? All of Microsoft’s security problems are caused by bugs in open source software that they have incorporated into their code. As the saying goes: ‘If you want something done right, you’ve got to do it yourself.’ 2005-07-07 5:35 pm ma_d I don’t think there’s been a month of my linux-using life yet where zlib hasn’t had a vulnerability…. Seriously, this library just seems to be ridden with security and/or stability issues. RedHat seems to replace it constantly. 2005-07-07 5:58 pm Latem Huh, where are you getting this info? I just searched through Mandriva and Suse security advisories, and there are only 2 zlib security advisories within the last 2+ (almost 3) years… I really don’t think this is that big of a deal. Pretty much all major Linux distributions had a fix within 24-48 hours after the discovery. And it certainly is painless to update this. As they explain in the article, pretty much everything uses this as a shared library. One update to fix most of the affected software. 2005-07-07 5:42 pm Anonymous first – i make a montion to ban (IP: 66.98.198.—) second – software is written by humans, therefore fallible…. security comes into question when something is discovered and not fixed, shall we bet who has it fixed first. And should we bet who will KNOW they have it fixed the open source systems that have to update one library or the closed-source systems that have it rolled into a bunch of different programs? Do they know what all programs have it, what about third party closed-source programs that use it? How will M$ update some program you downloaded from the web that happens to use the library…they WONT! open source has reqponded to the threat and due to better design it will be a simple fix, M$ on the other hand….go figure… can I second the motion as well… 2005-07-08 9:10 am haugland I agree, that software is fallible. But software can be a lot better if the programmers focus on quality. Both open and closed software has its share of ignorant/lazy coders and quality can be good or bad for both open and closed software. Libraries used in so much software ought to be better. And the lack of quality control is as much a responsibility of the programmers that use the library as the programmers that make the library. Regarding fixes: The really important aspect is how easy it is for the user to fix the problem. And for some distros this is easyer than for Windows, and for some it is not. But this is somthing open source is getting much better at IMO. 2005-07-08 3:59 pm BigZaphod What do you mean a lack of quality control? If there was a total lack, this hole wouldn’t even be known and yet here it is announced having been fixed! I don’t understand how so many people can jump all over developers every time a *fix* to a venerability is released. Where does the unreasonable expectation that all software be released in a perfect state come from? No products are ever perfect when they are released and many classes of products can take generations to get right. Using the classic car example, consider how much safer and longer-lasting automobiles have become over the years as they refine their processes? Does anyone seriously think that the first Model-T should have rolled off the line looking and feeling like a modern-day compact that can do 200,000 miles in its lifetime and is outfitted with airbags, anti-lock breaks, crumple zones, and an alarm system? That’s just plain unreasonable. Any new piece of software that does something different is somewhat akin to a new line of car. Every new software author is similar to a new and upcoming auto manufacturer. Each product (car, software, candy, etc) always has its own shares of quirks which can take a long time to iron out and each time a new manufacturer or developer enters the scene, they have a lot of things to learn about getting up to speed with what they are doing, what the common practices are, and how to generally do business. There will be mistakes. Some developers are still learning the tricks of the trade and some software is maturing and settling in to its niche where finally the quirks are becoming understood. Don’t ever let anyone fool you into thinking that the “professional” software developers are somehow more prepared than the amateurs in this regard – after all, it seems the only thing that separates a professional from an amateur is wether or not they get paid for it. Most highly active open source authors are professional programmers or system administrators during the day. When they go home and release something they’ve created on their own time they suddenly become listed as an amateur and when there’s a bug it is clearly the fault of inexperience and/or ineptitude? That makes no sense. 2005-07-07 5:44 pm Anonymous Well, I am on Suse 9.2. I am using gwdg as a source. So, it may not be really official 2005-07-07 5:47 pm Anonymous four obvious troll posts alone in this thread… isnt that enough for a banning……. we should have a ‘nominate for banning’ button also… 2005-07-07 5:49 pm Anonymous software is written by humans, therefore fallible…. security comes into question when something is discovered and not fixe… blah … blah … blah … M$ … blah Yes, all software is fallible. It’s just that open source software is at least 100x more fallible. 2005-07-07 6:10 pm Anonymous 100x? wow you have researched… i like your facts that back those figure up… while you was typing random zeros why not go for 1000x… just wondering… it couldnt be that with open source you actually hear about a flaw and a fix, whereas with closed source you wont hear about a flaw unless someone else finds it and even then you wont hear about a fix for a loooong while! nah, couldnt be that ok, thats enough bait for me… no more biting the troll lines…. 2005-07-07 5:53 pm Anonymous four obvious troll posts alone in this thread… isnt that enough for a banning……. Hello….McFly….hello! Every post here is an obvious troll. 2005-07-07 6:08 pm facerw Anybody hear when the source code is released? I have about half a dozen linux/unix and solaris boxes to upgrade. 2005-07-08 1:56 pm Anonymous Anybody hear when the source code is released? Here’s the patch from Gentoo Linux’s CVS repository: http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/sys-libs/zlib/… 2005-07-07 6:14 pm Brian Hadn’t read this story, but I noticed it was fixed on my Ubuntu desktop machine and Debian server when I checked for updates a couple of hours ago. Certainly fast work, a good example of how free software folks can get their act together when it’s something this critical. Still got a FreeBSD machine to do tomorrow when I get around to it, but the advisory is already on their website as well. Now I just need to wait for Apple, who will hopefully have an update available tomorrow morning. 2005-07-07 6:24 pm Anonymous The article says: “Mark Adler [a Zlib co-author] responded to my report with a patch” Does anyone know where the zlib team has posted the patch at? 2005-07-08 12:59 am LiNuCe I don’t know if the ZLib team posted a patch, but you can use the patch  included in the Debian source package  which fixes this security issue. It seems that the only file concerned is inftrees.c. This is the patch I used to fix zlib-1.2.2 on Slackware Linux 10.1.  http://www.debian.org/security/2005/dsa-740  http://linuce.free.fr/zlib-1.2.2-inftrees.c.diff 2005-07-07 6:27 pm Anonymous Hmmmm… The update found by an OSS team auditing the source code. They make a fix in a couple of minutes, then pass it on to the original author, who double checks everything and in less than a day they’ve got a verified patch that’s picked up by major distributors and disseminated. Since only the library needs to be replaced, it’s a small fix. Meanwhile, MS is “looking into it”. Since zlib is statically linked into many of their executables, I suspect the “looking” involves decising whether or not it’s worth the hassle of fixing now or waiting to see if they can roll it into the next service pack. 2005-07-07 6:34 pm Anonymous 100x? wow you have researched… i like your facts that back those figure up… while you was typing random zeros why not go for 1000x… just wondering… I know for a fact that open source code is far more buggier than proprietary code. At least 100x more buggier. I know from my 20+ years of experience. You just aren’t so concerned about quality when your job is not on the line and the only reason that you are coding is for bragging rights in your circle-jerk group. it couldnt be that with open source you actually hear about a flaw and a fix, whereas with closed source you wont hear about a flaw unless someone else finds it and even then you wont hear about a fix for a loooong while! nah, couldnt be that Oh those poor open source folks and the constant barrage of attention they get. Microsoft has it sooo easy. It’s not like every maladjusted basement dweller is constantly attacking Microsoft software. It’s not like there are whole companies whose only purpose is to hammer on Windows 24/7. Everyone always targets open source, nobody even looks at Windows. ok, thats enough bait for me… no more biting the troll lines…. Like all overly-opinionated dorks, you can’t resist pontificating and offering your opinions (which you confuse with facts) to people who don’t want to hear them. Don’t pretend that you don’t enjoy the opportunity to blow your hot air on a public forum. 2005-07-07 6:46 pm Anonymous I know for a fact that open source code is far more buggier than proprietary code. At least 100x more buggier. I know from my 20+ years of experience. You just aren’t so concerned about quality when your job is not on the line and the only reason that you are coding is for bragging rights in your circle-jerk group. Of course you are concerned with quality when you are writing open source! Your client will actually be able to inspect the code. I can not belive you when you say that open source is 100x buggier then closed source. Look at the relation of security holes between Apache and IIS. They are both very poplular webservers, but IIS has a much worse track record when it comes to security. 2005-07-07 6:54 pm Latem I know for a fact that open source code is far more buggier than proprietary code. At least 100x more buggier. I know from my 20+ years of experience. You just aren’t so concerned about quality when your job is not on the line and the only reason that you are coding is for bragging rights in your circle-jerk group. How can you know this for a fact? Your 20+ years of experience has yet to teach you the basics of logic for forming sounding arguments… This may be just an opinion, which is fine. But there is no facts on this. Why? Because closed software is closed. How can you even begin to speculate on the number of bugs in closed software? You can’t. That’s the whole thing about OSS. Thru the community, and peer review, you hope that the bugs will be spoted and fixed faster. This is an advantage of the OSS model. But how can we know anything about the quality of a closed source software. Are we suppose to take your “expert” opinion and trust your word that it’s good; and somehow all the problems are coming from the open source parts of your code? Come on… The best we can do is look at the number and the scale of problems that arise thru the use of such software. With Windows, we know it’s quality is kinda poor, because there are a lot of problems arising as a result of it’s use. All the daily security flaws, viruses, spyware… I guess they are fault of open source velnurabilities, such as this one in zlib. Also, I think it’s important to remind everyone that there is no known exploit of this. It’s just a newly discovered flaw, that’s been fixed quickly. The fact is you are probably gonna get scored down, because it seems you just want a flame war. 2005-07-07 6:38 pm TaterSalad Ok, this is getting rediculous. Zlib has a flaw and it gets patched. One small little program. This is a 3rd party library that linux distros include. It’s not created from the linux kernel hackers or distro makers themselves. So how does the speed this is being patched compare to Microsoft releasing patches for a whole operating system instead of one small program? It doesn’t at all. You are comparing a 3rd party to the vendor. Apples and oranges. 2005-07-07 8:44 pm Clinton It is relevant because Microsoft uses Zlib too. The Linux, BSD, etc. guys are already patched (or at least have a patch available), but Microsoft can’t do that so they are “looking into it”. This means that your Windows box(es) are still vulnerable to the flaw while the OSS systems out there are not. That’s why the comparison is far from “rediculous” 2005-07-07 6:52 pm rm6990 20 + years of experience and you have nothing better to do than troll in an online forum? How pathetic. 2005-07-07 7:03 pm Anonymous > So how does the speed this is being patched compare > to Microsoft releasing patches for a whole > operating system instead of one small program? a) statically linking is lame unless it’s in a kernel or rescue app, mmmmk? b) if it affects MS products, a patch should come fast c) most every other vendor using zlib has responded d) microsoft keeps shouting “WE ARE MORE SECURE” from rooftop For reference, I run Gentoo Linux. scylla# ls -l /lib/libz*2 -rwxr-xr-x 1 root root 69768 Jul 6 11:12 /lib/libz.so.1.2.2 That’s right, the date says yesterday @ 11:12am. Every second that there isn’t patching for MS’ products is another strike against them. 2005-07-07 7:05 pm rm6990 Hmmm, funny. The proprietary software model is better, yet zlib, a library used on Windows, Linux, BSD, contains a flaw which was found and fixed by open source developers. If Microsoft makes use of this library, and ther model of software development is superior, why didn’t their programmers find the flaw first? Were they taking a nap when this all went down or something? Better yet, while Red Hat et al have released patches (got mine yesterday for Ubuntu), why hasn’t Microsoft released a patch yet? Is leaving customers exposed to a security flaw patched by most other vendors a “feature” of this so-called superior closed soure style of development? 2005-07-07 7:11 pm Anonymous “why hasn’t Microsoft released a patch yet?” Because silly, they were busy reclassifying Claria spyware as “not” spyware. (http://www.eweek.com/article2/0,1895,1834607,00.asp) ” Is leaving customers exposed to a security flaw patched by most other vendors a “feature” of this so-called superior closed soure style of development?” Of course! Haven’t you heard that you get what you pay for when you purchase closed source? 2005-07-07 7:10 pm Anonymous Of course you are concerned with quality when you are writing open source! Your client will actually be able to inspect the code. Open source doesn’t have clients because you have to look at the source and fix it yourself. In the open source world, there are just people who beg for fixes and features from unresponsive developers who consider them ‘clueless lusers who don’t RTFM’ and wish that they would just go away because the developers are only ‘scratching their itch’. I can not belive you when you say that open source is 100x buggier then closed source. Look at the relation of security holes between Apache and IIS. They are both very poplular webservers, but IIS has a much worse track record when it comes to security. There are more break-ins on Apache servers than IIS servers. 2005-07-07 7:19 pm Anonymous > There are more break-ins on Apache servers than IIS > servers Since there are almost three times as many Apache servers out there, many of the administrated by dumb-as-rocks MCSEs without a clue, this isn’t hard to believe at all. But I’m willing to be it’s neither Linux nor Apache that is getting hacked… 99% of the time, it’s someone that’s installed some script off a scripts site and never updated it. Like PHPBB, PHPNuke, various multitudinous amateurly-programmed others…most of the rest of the time it’s lazy administration that has never updated the OS. P.S. Redhat is to blame for a lot of Linux intrusions with their version-based releases. Someone still forced to run particular apps on Redhat 9, for example, has been abandoned. Version-based releases on *nix are a BAD IDEA. Just a random rant. 2005-07-07 7:24 pm Anonymous s/Apache/Windows/ s/Red Hat/Microsoft/ 2005-07-07 7:34 pm Anonymous What is being lost in all the comparisons with MS is that this vulnerability was discovered by Tavis Ormandy of the Gentoo Linux Security Audit Team. For those who don’t understand: He was performing a security audit of the code – something that very few vendors do of their own stuff, even when they charge an arm and a leg for their crapware. 2005-07-08 7:16 am Celerate “For those who don’t understand: He was performing a security audit of the code – something that very few vendors do of their own stuff, even when they charge an arm and a leg for their crapware.” What so many people don’t realize is that programming isn’t as simple as the “baking a cake” analogy they are often presented with, that is by far an over simplification. Programming is more comparable to advanced math in my opinion, you need to do research, problem solve, design the program, write it, test it to see if it works, and finally fix any bugs you find. If you do happen to find a bug, you have to filter through all the code to find out where its happening, then you have to figure out why its happening and finally you have to figure out how to make it work. It can take an eternity to make sure code doesn’t have bugs, and developers can’t make money if they don’t release their software eventually. Programming languages aren’t pseudocode, a lot of people think of writing a program in terms of the way a human mind would work: people can read instructions off a piece of paper and follow them despite grammar errors, mispelled words, incorrect words, and of course people can compensate for errors in the instructions. Programming isn’t like that, you don’t get to think in terms of how things work in your brain any more, you have to think in terms of what the compiler can translate instead, and even when something compiles that only means the compiler hasn’t found any of the common errors in the code that is was programmed to recognize, not in the way the program would work. Trust me, writing a program isn’t as simple as what you’ve seen on TV or in person, you can’t get a grasp of what’s going on inside the developer’s head when you’re only watching them work, just because a developer knows what to type doesn’t mean its always easy. Of course you know by now that I am going by the assumption that you haven’t any prior experience with programming, please don’t be insulted if this isn’t the case as the assumption was simply so I wouldn’t write anything too complicated if my assumption turned out to be correct. My point is basically that people don’t know or appreciate how complicated programming can get. I get really irritated when people believe what they see in movies, where some “hollywood hacker” sits at a computer, glances at someone’s code for a minute or two, and then points out and fixes all the bugs in it. Why does it irritate me? The simple answer is because so many people believe that its really that easy. Writing software isn’t really so easy that any Joe Sixpack off the street can learn it in 24 hours, or in 7 days; learning how to program is actually gradual, and with languages like C++ it will usually take at least two years to get a good grasp of the language. Finding bugs gets even harder than writing the program, and that’s because most bugs aren’t obvious, may never be found for years, and are usually discovered by accident because they didn’t show up in tests. Please keep that in mind before you assume that because software has bugs in it, the developer didn’t audit it enough. 2005-07-07 7:45 pm Anonymous …something that very few vendors do of their own stuff, even when they charge an arm and a leg for their crapware. Now I understand why open source produces so much crap. It’s because they hold very little value for software. How much quality software would you expect from someone who values all software at $0. 2005-07-07 7:53 pm Anonymous FC4 has the fix available I just ran “yum update” and it’s taken care of 🙂 Unfortunately I don’t think debian sarge is going to be able to jump quickly on this one with their current security issues 🙁 2005-07-07 8:18 pm facerw Actually debian sarge has the fix. Debian woody doesn’t. 2005-07-07 9:27 pm cm__ > Actually debian sarge has the fix. Yeah, that’s been a pleasant surprise. Things seem to be back to normal with Debian security. 2005-07-07 7:53 pm Anonymous Now I understand why open source produces so much crap. It’s because they hold very little value for software. How much quality software would you expect from someone who values all software at $0. So please tell me why Cisco is still vulnerable to ICMP exploits that have been known for years while OSS like OpenBSD is not. I’ll tell you: Security audits. Closed source or open source has nothing to do with the argument. The key point is that a security audit was being performed – something that is very rare these days – especially among closed source vendors (I worked for one where I had to put out the fires caused by lack of security QA). 2005-07-07 7:58 pm Anonymous So please tell me why Cisco is still vulnerable to ICMP exploits that have been known for years while OSS like OpenBSD is not. The reason is that Cisco can’t afford to invest in their products because there is a whore generation of Admins that are brainwashed into making due with OSS crapware. They value their tools at $0 and aren’t willing to invest in some quality software from Cisco. 2005-07-07 8:08 pm Shannara I have agree, but it’s just not open source, but the whole source (close, open, etc) together. So I wouldnt single out open source model as a failar at all. I put a plus 1 for your comment since a troll gave you -5. 2005-07-07 8:29 pm TommyD I work primarily as a closed-sourced developer, and I can attest, after seeing MANY thousands of lines closed-source code, that open source code is normally of a much higher quality. It is simply amazing to me the number of $1,000,000 projects that consist of code with no real coding standards – poor indentation, poorly-named variables, etc. When I look at the code to open-source programs I have to compile, I see none of this. 2005-07-08 1:42 am sappyvcv That has little to nothing to do with the code being open or closed source. It’s simply the people that worked on it. Open/closed source is a LICENSE, not a methodology for the style to write code. 2005-07-08 3:45 am LiNuCe > Open/closed source is a LICENSE, not a methodology for the style to write code. You are right. However when you write open source code, you know by definition that you potentially expose it to public developers, among whom there are competent people. Sometimes they are even more competent than you, so you tend to write it as clean as you can. Obviously, it does not mean your code is not error-prone. By the way, “as clean as you can” is quite subjective and does not always mean “clean” 2005-07-07 8:44 pm rm6990 I believe you should implement a new feature in OSNews 3.1. There should be a ban person button under each comment. People using anonymizer.com or not logged in should not be able to use this. It should only allow one click per IP address per post. If more than 30 people click to ban someone from the site in a certain time period, their ip address should be completely blocked access. I don’t think we should have to wade through some of the posts being put on this forum, espescially people who are subscribers (I’ll admit I’m not, and never will be until this problem is fixed). Even if people don’t end up getting banned, it will keep them in-line. 2005-07-07 8:48 pm Anonymous Sorry, rm6990, but a ban button will not make your failures go away. 2005-07-07 9:42 pm Anonymous If you load up a new WinXP install and go to Windows Update and load all the updates, count how many of them involve resolving problems which otherwise could have lead to a remote system compromise. <tin foil hat conspiracy time> There’s tons of them. I wonder if they’re really bugs at all or just publically discovered backdoors.</tin foil hat> Thank god modern Linux distros don’t suffer from all these remote compromise holes. 2005-07-07 11:16 pm Anonymous Thank god modern Linux distros don’t suffer from all these remote compromise holes. Thank God that Linux has so many clueless windbags promoting and treating it like a religion. Otherwise, it would have died long, long ago. 2005-07-07 11:57 pm Anonymous Thank god you’re a moron 2005-07-08 12:13 am Anonymous If you could come up with some retort or had any wit at all, you’d be real dangerous. 2005-07-08 12:14 am Anonymous Of course it was the security team of the best distro around that found the flaw 2005-07-08 4:49 am saxiyn CAN-2005-2096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096 DSA-740 http://www.debian.org/security/2005/dsa-740 FreeBSD-SA-05:16 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:16… GLSA-200507-05 http://www.gentoo.org/security/en/glsa/glsa-200507-05.xml RHSA-2005:569 http://rhn.redhat.com/errata/RHSA-2005-569.html SUSE-SA:2005:039 http://www.novell.com/linux/security/advisories/2005_39_zlib.html USN-148-1 http://www.ubuntulinux.org/support/documentation/usn/usn-148-1 Please, somebody provides reference to Microsoft’s security advisories. 2005-07-08 6:14 am Anonymous Please, somebody provides reference to Microsoft’s security advisories. Why not just look the shit up yourself ? Stop posting bullshit on these forums and actually use the internet for something educational! Ah screw it, here you go. http://technet.microsoft.com/default.aspx If you can’t find the info there you are dumber than a bag of rocks. 2005-07-08 6:10 am Anonymous Everyone can pat backs and suck each others d*cks over the news but face it, we have been exposed to a serious flaw for a long time and Open or Closed source really dosen’t mean shit in regards to the problem because it took a very long time to discover this flaw and a LOT of people had access to the code. 2005-07-08 6:26 pm Amanda I think there is a difference between bugs and vulnerabilities… Bugs are those problems of a software that affect users, either something is malfunctioning or displaying unexpected behaviour, during the software’s expected usage. Vulnerabilities are usually those potential holes of a software where malicious people can write speicific code attacking such holes to achieve their specific purpose. Compared to bugs that can be prevented or removed through extensive testing from programmers and users, vulnerabilities are usually more difficult to be detected. This is not only because the fact that most programmers are not malicious people ;D , but also because people usually have a set of assumptions and don’t usually foresee problems that may have if these assumptions have not been met. It’s like, bakers have to make sure the bread they bake is safe to eat, delicious and good-looking. But it’s just difficult for them to foresee (or do anything) to stop malicious people from adding in poisons to the bread intentionally to kill someone. If the world is so perfect, London’s police and intelligence departments could have stopped Bin Laden’s bombers before anything happens. As always, things can be improved, but even god is so powerful, there are still chances where devil comes in and mess things up. So, please do not blame the programmers (either Microsoft’s or not) for not being as thoughtful as Bin Laden… However, the zlib example demonstrates how bugs and vulnerabilities of commonly used shared libraries can pose widespread and serious risks… the world will need discussions on how better methodologies or procedures can be implemented to eliminate such risks if things do go wrong. 2005-07-08 7:39 pm AdamW and Mandriva MDKSA-2005:112, dated July 6th like the others. I think there was some sort of collaboration between Linux vendors on releasing a fix simultaneously (that’s my guess, not fact…) 2005-07-11 11:09 am haugland Obviously there is quality control. But maybe it should have taken place before release. A lot of programmers have used the library before sufficient quality control. No products are ever perfect — I agree on that. But a library which is designed to be used by many different applications should be of a better quality than the average software. The OpenBSD team have shown the way! Not all programs need to be designed with security in mind. But many do. I am not blaming the programmers who created the library. But if programmers use libraries without doing anything to assess the quality, they should be aware of the risks. So you have to either trust the team that made the library, check if anyone else have controlled the software, or check it yourself (or live with the uncertainty).