Re: about zlib vulnerability

[Paul Wouters <paul () xtdnet nl>]

On Thu, 14 Mar 2002, tele wrote:

> The vulnerable zlib 1.1.3 code can be even found on the freeswan
> 1.95 source tree and previous versions, therefore there's a
> potential vulnerability at kernel level; besides at the web site
> http://www.freeswan.org the problem is not properly treated.

> From the Freeswan list:

Henry Spencer <henry () spsystems net> wrote:
  
> The FreeS/WAN project classes this bug as non-critical, because an IPsec
> packet must pass authentication (and be successfully decrypted) before our
> copy of zlib is asked to decompress it, even if the configuration permits
> compression (which the default ones do not).  This greatly limits real
> exposure as a result of this bug.
>
> Our next release (1.97, expected at the beginning of April) will
> incorporate the fix.            

Paul