No subject

safely say they can't get it to work period.

I personally (this is ME.. not anyone else mind you!) find it silly to
for a bunch of people to stand up and yell "Not vulnerable!".  It makes
it harder to find the few people in the crowd yelling "Hey, idiots..
upgrade!  We are affected!"

However, in --current we did decide all fatal() calls should skip dealing
with zlib stuff and just exit.  As a 'better safe then sorry' view.

- Ben

On Wed, 3 Apr 2002 dale at accentre.com wrote:

> On Wed, Apr 03, 2002 at 11:08:44AM -0600, Dave Dykstra wrote:
> > I'm disappointed that nobody has replied to my question.  OpenSSH
> > development team, isn't the potential for a remote root exploit something
> > that's important to you?  Many other tools that use zlib have issued a
> > public statement saying they are or they are not vulnerable.
>
> The issue has been discussed on this list.  I quote:
>
> > From: Nalin Dahyabhai <nalin at redhat.com>
> > Subject: Re: zlib compression, the exploit, and OpenSSH
> > Date: Wed, 13 Mar 2002 16:23:59 -0500
> >
> > On Wed, Mar 13, 2002 at 12:07:34PM -0800, ewheeler at kaico.com wrote:
> > > 3.  Does OpenSSH statically link (or can it/does it by default) to the
> > > zlib library -- will updating the zlib library to 1.1.4 take care of the
> > > situation?
> >
> > I can't speak to the rest of your questions, but because the portable
> > tree doesn't bundle its own copy of zlib, OpenSSH links against the
> > version installed on the system it's being compiled on.  Usually that's
> > a shared library if your OS has shared libraries, but it's going to be
> > OS-specific.
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>