[CentOS] newer ZLIB and ZLIB-DEVEL

Sun May 8 16:49:54 UTC 2005
Matt Dainty <matt at bodgit-n-scarper.com>

On Sun, 2005-05-08 at 17:23, Robert Hanson wrote:
> -}Behalf Of Johnny Hughes
> -}Sent: Sunday, May 08, 2005 9:07 AM
> -}Do you really need 1.2.2 or just the latest security patches ... if you
> -}must really have 1.2.2 or greater, you should probably download the
> -}latest SRPM from the Fedora Rawhide project (it, or an RPM like it, will
> -}be in newer versions of RHEL and FC).
> 
> http://mirror.linux.duke.edu/pub/fedora/linux/core/development/SRPMS/zlib-1.
> 2.2.2-3.src.rpm
> 
> -}Then use it to make zlib and zlib-devel on your platform.  I just
> -}verified that it builds on CentOS-3.4 and 4.0 with the command:
> -}
> -}rpmbuild --rebuild zlib-1.2.2.2-3.src.rpm
> -}
> -}(must have gcc, make, rpm-build as a minimum installed on the
> -}machine ... maybe some other packages)
> -}
> -}I can provide those files for daonload if you can't get them to
> -}build ... are you on CentOS-3.x or CentOS-4.x.
> -}
> 
> Thanks for the quick reply.
> 
> I am on CentOS 4 and this is in relation to the security fix. So I really
> need 1.2.2: or later as when I do a "configure" for clamav-0.84 it complains
> about zlib and directs me to www.zlib.net

No, not really. The security fixes should be in the CentOS 4 zlib
already. On these Redhat/RPM-based systems, going on the pure version
number alone is not a good method of working out what is secure and what
isn't.

> now, it did that on clamav-0.83 yet it still allowed the "configure" to
> finish yet with clamav-0.84 it dies and i had to insert an
> 
> --disable-zlib-vcheck
> 
> to get it to finish the configure.

The problem is clamav is using the version number as the check rather
than assuming a distribution might backport the security fixes to older
versions.

Looking at that zlib src.rpm URL you posted, the changelog mentions no
fixes to security problems that aren't found in the native CentOS
version already, unless you can point to what these exact security
vulnerabilities are?

Otherwise, IMHO using --disable-zlib-vcheck is the correct fix. Checking
the clamav package in the `dag' repository shows this configure switch
is indeed used.

Matt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20050508/00715bd6/attachment-0005.sig>