[Techtalk] Zlib exploit
Raven, corporate courtesan
raven at oneeyedcrow.net
Tue Mar 12 14:01:44 EST 2002
Heya --
Quoth Malcolm (Tue, Mar 12, 2002 at 12:25:03PM -0500):
> > It probably did install right over the old one; that's what my
> > Debian system did. Take a look at the timestamp on the files; that
> > will tell you. And no, you didn't break apt, but apt won't know
> > about this new version. When the patched version comes out for
> > Debian you may have to manually force an upgrade of that package,
> > but after that you should be fine again.
>
> Except that apt will know about the -older- version, so it will
> upgrade the package, overwriting the compiled version. (Unless apt
> checks the timestamps or something, which I'd be surprised at).
> That's only a problem if your compiled version is a newer version
> than the package, which would not be the case here.
It depends on how you use apt-get. If you manually invoke it,
then just don't do so for zlib until the patched version is out. If you
have a cron job set up to auto-update your system, then you run the risk
of the above scenario. But if you have a cron job that runs with any
frequency, you probably already had the most recent unpatched version
available. So apt thinks you still have that version, and wouldn't see
any reason to update until there was a newer one. Presumably, one with
the patch.
From a quick gander around the Debian site, 1.1.3-5 is the most
recent Deb version, and 1.1.4 is the patched version that you probably
installed last night. So if you had 1.1.3-5 before patching, it
shouldn't be overwritten via cron.
Cheers,
Raven
"Sed, sed, awk. Like duck, duck, goose. Sync, sync, halt. It's the
order of nature."
-- me, after too long a day at work
More information about the Techtalk
mailing list