On Thu, 14 Mar 2002, tele wrote:

> The vulnerable zlib 1.1.3 code can be even found on the freeswan
> 1.95 source tree and previous versions, therefore there's a
> potential vulnerability at kernel level; besides at the web site
> http://www.freeswan.org the problem is not properly treated.

From the Freeswan list:

Henry Spencer <henryspsystems.net> wrote:
  
> The FreeS/WAN project classes this bug as non-critical, because an IPsec
> packet must pass authentication (and be successfully decrypted) before our
> copy of zlib is asked to decompress it, even if the configuration permits
> compression (which the default ones do not). This greatly limits real
> exposure as a result of this bug.
>
> Our next release (1.97, expected at the beginning of April) will
> incorporate the fix.

Paul

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]