It appears that so soon after the zlib-1.2.1 fun, we need to upgrade to zlib-184.108.40.206. "What is that?", you might ask after looking at the zlib homepage and zlib-announce archives and not seeing any mention of such a beast. Apparently it's a stealth release, as the only place I've found tarballs of it are in source packages from various linux distributions. Extracted from the Red Hat FC2 srpm, the ChangeLog states: Changes in 220.127.116.11 (9 January 2004) - Updated email address in README - Several FAQ updates - Fixed a big fat bug in inftrees.c that prevented decoding valid dynamic blocks with only literals and no distance codes. - Add a note to puff.c on no distance codes case. While this appears to be a somewhat serious update, I'm somewhat reluctant to apply it to the mozilla tree until I can find an official source. The source URL in the fc2 spec points to ftp.info-zip.org, which isn't updated anymore.
I received this from Mark Adler, zlib developer. I'm changing the summary of this bug to say 1.2.2 instead of 18.104.22.168: zlib 1.2.2 is complete. You can download either of these (signatures below): http://www.zlib.net/zlib-1.2.2.tar.gz http://www.zlib.net/zlib-1.2.2.tar.bz2
Summary: Upgrade to zlib 22.214.171.124 → Upgrade to zlib 1.2.2
zlib signatures: MD5(zlib-1.2.2.tar.gz)= 68bd51aaa6558c3bc3fd4890e53413de SHA1(zlib-1.2.2.tar.gz)= e6ec67108bfd1f321eb4f1bd192b648725219595
Created attachment 161386 [details] [diff] [review] Upgrade zlib to zlib-1.2.2 I've tested the patch on a FreeBSD/gcc-3.4.2 platform using a fresh checkout of mozilla from CVS this morning (1) only replacing zlib (2) also using libmng instead of libpng to support PNG, via the latest patch from bug #18574. Both configurations worked fine.
Comment on attachment 161386 [details] [diff] [review] Upgrade zlib to zlib-1.2.2 tor: r? Mark Adler says 1.2.2 has been "released": On Nov 1, 2004, at 6:48 AM, Glenn Randers-Pehrson wrote: > Is zlib-1.2.2 considered to be "released" now, despite www.zlib.org > still showing zlib-1.2.1? Yes. Unfortunately, we have not been able to get Jean-loup's attention to update www.zlib.org. mark
Attachment #161386 - Flags: review?(tor)
Are the changes important enough that the minimum version in configure.in should be bumped too?
The upgrade fixes CERT VU#238678 CAN-2004-0797 which reports a Denial of Service vulnerability. So, yes, the minimum "system" version should be 1.2.2.
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
3 years ago
You need to log in before you can comment on or make changes to this bug.