Is OpenSSH vulnerable to the ZLIB problem or isn't it?
dale at accentre.com
dale at accentre.com
Thu Apr 4 04:31:08 EST 2002
On Wed, Apr 03, 2002 at 11:08:44AM -0600, Dave Dykstra wrote:
> I'm disappointed that nobody has replied to my question. OpenSSH
> development team, isn't the potential for a remote root exploit something
> that's important to you? Many other tools that use zlib have issued a
> public statement saying they are or they are not vulnerable.
The issue has been discussed on this list. I quote:
> From: Nalin Dahyabhai <nalin at redhat.com>
> Subject: Re: zlib compression, the exploit, and OpenSSH
> Date: Wed, 13 Mar 2002 16:23:59 -0500
>
> On Wed, Mar 13, 2002 at 12:07:34PM -0800, ewheeler at kaico.com wrote:
> > 3. Does OpenSSH statically link (or can it/does it by default) to the
> > zlib library -- will updating the zlib library to 1.1.4 take care of the
> > situation?
>
> I can't speak to the rest of your questions, but because the portable
> tree doesn't bundle its own copy of zlib, OpenSSH links against the
> version installed on the system it's being compiled on. Usually that's
> a shared library if your OS has shared libraries, but it's going to be
> OS-specific.
More information about the openssh-unix-dev
mailing list