On Thu, 14 Mar 2002, tele wrote: > The vulnerable zlib 1.1.3 code can be even found on the freeswan > 1.95 source tree and previous versions, therefore there's a > potential vulnerability at kernel level; besides at the web site > http://www.freeswan.org the problem is not properly treated. >From the Freeswan list: Henry Spencer <henry@spsystems.net> wrote: > The FreeS/WAN project classes this bug as non-critical, because an IPsec > packet must pass authentication (and be successfully decrypted) before our > copy of zlib is asked to decompress it, even if the configuration permits > compression (which the default ones do not). This greatly limits real > exposure as a result of this bug. > > Our next release (1.97, expected at the beginning of April) will > incorporate the fix. Paul
