-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike McCarty wrote: | a little more intelligible. What is a poinsonous .png? I'm using the latest | FC2. How can I tell whether I have updated my libz? I used uptodate | up to the point where FC2 was no longer being updated. You are out of security updates altogether by the sound of it. So the real simple version is that since your last update, one or more ways to hack the versions of code you are running has been found. Just recently a flaw was found in a compression library: http://www.eweek.com/article2/0,1759,1834632,00.asp?kc=EWRSS03119TX1K0000594 Many programs use a dangerous version of the compression library, including the code to interpret png files which in turn is used by many other programs. All of these apps are theoretically vulnerable to a buffer overflow exploit delivered in a faked up png file. So if you browse the wrong site and get given the evil image file, or you show (evil) images sent to you in an email, you are hacked. This is commonplace in the Windows world and quite possible in the Linux world too (although Fedora's early use of selinux, execshield, NX, etc try to make this less simple). You should look into the Fedora Legacy project and update via yum from there until you upgrade to something with direct security updates: http://www.fedoralegacy.org/ |> "Mozilla" is a giant teetering edifice of everchanging code that you | | Oh, come now. If you take that attitude, then Linux and the FSF code Any code could link to zlib and be vulnerable... the flaw doesn't have to be directly in the application for the application to be vulnerable via a broken library. Any of it can link to other libraries with as yet undiscovered buffer overflows and be vulnerable. And the point is you don't know, as a user, what uses the bad zlib and what doesn't. Even when you update the bad library, which should fix all apps that use the library, you still don't know for sure if other stuff has the bad version directly compiled in as part of the app itself. - -Andy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFC1WHCjKeDCxMJCTIRAopZAKCWAVhaTVXIOFszx0zfCUj0OTjRggCeOK55 hW+IoRdyT/xsUsOufQ+zJoc= =Rd/+ -----END PGP SIGNATURE-----
