Received: from ncopa-desktop.lan (ti0056a400-0541.bb.online.no [85.166.229.33]) (Authenticated sender: ncopa@alpinelinux.org) by gbr-app-1.alpinelinux.org (Postfix) with ESMTPSA id D1176225D04; Fri, 20 Oct 2023 08:50:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alpinelinux.org; s=smtp; t=1697791810; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ft7jPiE3mNU8LyKwc1lqd+nXY8YAeZwDYq0fMFpIij4=; b=r1TwYZbcDSuRCXE4rhVdEOAXK6UUIQLTUDDWPWORlPnxIHErG59E5/pYpD1LKdaTCWx9Qa anjeA4FUZzSS1hu0cGB3Ic5SKiVhj7O/rnHFeQhpAnM8Gr0HXbYR847NMnPJzHNiQ1rZAt tt15A+vuNqXrd3D3q6bAJkN0+/oP6vU= Date: Fri, 20 Oct 2023 10:50:06 +0200 From: Natanael Copa To: "Alekh Kanubothula (Nokia)" Cc: "~alpine/users@lists.alpinelinux.org" <~alpine/users@lists.alpinelinux.org> Subject: Re: Zlib vulnerability CVE-2023-45853 in 3.18.3 and 3.18.4 Message-ID: <20231020105006.151d0e30@ncopa-desktop.lan> In-Reply-To: References: X-Mailer: Claws Mail 4.1.1 (GTK 3.24.38; x86_64-alpine-linux-musl) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Fri, 20 Oct 2023 08:12:04 +0000 "Alekh Kanubothula (Nokia)" wrote: > Hi , > > Recently we found vulnerability related to zlib in 3.18.3 and 3.18.4. > These two versions are almost latest versions. Could you please let > us know by when a new version will get released with the zlib patch ? Hi, This vulnerability is in contrib/minizip. https://nvd.nist.gov/vuln/detail/CVE-2023-45853 The fix also confirms that this is a problem in contrib/minizip/zip.c: https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c To my knowledge we never built this binary or shipped it in any package, ever, so there is nothing to for us to fix. https://pkgs.alpinelinux.org/contents?file=minizip&path=&name=&branch=edge Thanks! -nc