Received: from vybihal.cz (vybihal.cz [IPv6:2a01:430:17:1::ffff:1391]) by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id A7819225C8F for <~alpine/users@lists.alpinelinux.org>; Tue, 17 Oct 2023 07:57:34 +0000 (UTC) Message-ID: <43e15a743bd05b802b63228b47d98bcdc8cda18d.camel@vybihal.cz> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vybihal.cz; s=mail; t=1697529451; bh=2qzWaAVmVQbaWwvYur4B8HdyTarTMBP/mcDpLVJxRuw=; h=Subject:From:To:Date:In-Reply-To:References:From; b=t+9I9SPQgtr0k3IN4D8sFr0nfQ0pfI2nTSThAIaNaZI6ASHkzWsJtX8mnBqi4l7Qz /SAinO7E/zaQKIU5ZjIorDkS0r0goxceUhv0mFghlABMQpl23JiFpDKUPDFlp1vd5t KaY3JFgoDDB0Pt0ob1sbV5hA7/bydsc993NHkU7A= Subject: Re: Inquiry Regarding Security Status and CVE-2022-37434 for zlib in Alpine Linux 3.8 From: Josef =?ISO-8859-1?Q?Vyb=EDhal?= To: Dor Hayun , ~alpine/users@lists.alpinelinux.org Date: Tue, 17 Oct 2023 09:57:30 +0200 In-Reply-To: <6368BBD7-FDDE-4217-90B9-E9886F7ECFA2@whitesourcesoftware.com> References: <6368BBD7-FDDE-4217-90B9-E9886F7ECFA2@whitesourcesoftware.com> Content-Type: multipart/signed; micalg="sha-256"; protocol="application/pkcs7-signature"; boundary="=-xUUFP+lWiCp2bDD4zJvY" MIME-Version: 1.0 --=-xUUFP+lWiCp2bDD4zJvY Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, you might want use some non-ancient version if you are concerned about security. https://alpinelinux.org/releases/ J. On Tue, 2023-10-17 at 10:37 +0300, Dor Hayun wrote: >=20 >=20 > Dear Alpine Linux Team, >=20 > I trust this message finds you well. My name is Dor, and I am > reaching out with a general inquiry about the security status of the > zlib library in Alpine Linux version 3.8. >=20 > Recently, I have been working with a Docker image based on > Alpine:3.8.5, and I observed that the zlib library version is > reported as 1.2.11-r1. However, upon reviewing the Alpine Linux > Security Advisories, I did not find any mention of CVE-2022-37434 for > Alpine:3.8. It appears that the CVE has been addressed in Alpine > Linux 3.11 and later versions. >=20 > To ensure a comprehensive understanding of the security posture of > the zlib library in Alpine:3.8, I would appreciate it if you could > shed some light on the following: >=20 > 1. Is the zlib library in Alpine:3.8 considered not vulnerable to > CVE-2022-37434? If so, could you provide some insights into the > reasons behind this? >=20 > 2. Are there plans to address this CVE specifically for Alpine:3.8, > or has it been determined that the library in this version is not > affected? >=20 > I believe that clarifying these points would be valuable not only for > my use case but also for others in the community who may be working > with Alpine:3.8 in their environments. >=20 > If possible, could you also provide an example or guidance on how > users can verify the security status of a specific library in an > Alpine Linux version to promote transparency and informed decision- > making? >=20 > I appreciate your time and efforts in maintaining the security > integrity of Alpine Linux. Thank you for your attention to this > matter. >=20 > Best regards, >=20 > Dor H. --=-xUUFP+lWiCp2bDD4zJvY Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCDU8w ggXaMIIDwqADAgECAhBxSiUXWFjM7vxDKA6Ct/TYMA0GCSqGSIb3DQEBCwUAMIGBMQswCQYDVQQG EwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEXMBUGA1UE CgwOQWN0YWxpcyBTLnAuQS4xLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1dGhlbnRpY2F0aW9u IENBIEczMB4XDTIzMDMwMTEwNDAxOFoXDTI0MDMwMTEwNDAxN1owGzEZMBcGA1UEAwwQam9zZWZA dnliaWhhbC5jejCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPJS9Etlj2HdBVuzADe 5SdCnCmYxbU019oYAfdKzPKwAhMlu7tn6uoJikr+YpHckei53cjer+4xIYEJ60TNOjcqWkiGEwlZ FUt4Obr+qN8Uk51qoUiMPiXQ8Jej1g3z9QO5EOBc/TBliqlBHq5gQn1z6KNJQiSSt+r9Dn4N3I72 gPiL2ATg243RMlK2vHc3fqd01IH+i7vEFbu3Bn911OyBRGIFQwx0egOVlGWJ3l5u+2Qfd0tquuQ3 mouJVVpasCj5pA7pR34MLs/VRd9RHvOyP3TbSWenR/92f+Xy3T9FvoorQ/9or83LGWzWsfjEVLz8 SoJoBmlBtJBqX5K+ORkCAwEAAaOCAbEwggGtMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUvpep qoS/gL8QU30JMvnhLjIbz3cwfgYIKwYBBQUHAQEEcjBwMDsGCCsGAQUFBzAChi9odHRwOi8vY2Fj ZXJ0LmFjdGFsaXMuaXQvY2VydHMvYWN0YWxpcy1hdXRjbGlnMzAxBggrBgEFBQcwAYYlaHR0cDov L29jc3AwOS5hY3RhbGlzLml0L1ZBL0FVVEhDTC1HMzAbBgNVHREEFDASgRBqb3NlZkB2eWJpaGFs LmN6MEcGA1UdIARAMD4wPAYGK4EfARgBMDIwMAYIKwYBBQUHAgEWJGh0dHBzOi8vd3d3LmFjdGFs aXMuaXQvYXJlYS1kb3dubG9hZDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwSAYDVR0f BEEwPzA9oDugOYY3aHR0cDovL2NybDA5LmFjdGFsaXMuaXQvUmVwb3NpdG9yeS9BVVRIQ0wtRzMv Z2V0TGFzdENSTDAdBgNVHQ4EFgQUDH+/qXnAbkmhS4Yr/v7AIMHPaZIwDgYDVR0PAQH/BAQDAgWg MA0GCSqGSIb3DQEBCwUAA4ICAQCHA1ifxIT1PF8KFxccWEjvyBbsSPzTWtR2sZ+jQt3MUOjdeuIN EmEbYK8m/0/kyxGIFIG8GrVOI/Yr/za7FTDgQQBwweWx8ShdHCGXaWCTuL0jsaHjfm+9l0jJBqnP G0bb0Vg0aVgQYThK/TiUgzZAS+PBcfWQz57dhDOsvf80ZWugwivOmQ85bSXFnNmAzjDvBtJ0WhHt rLqAX8EUUyMDJ8iPycgeL0+lgOC1B3lcLRfVEskUVux71le8RpB326fT6C4PE15aUeIJvlLAKf/G qePLX00MdMraVKI+azkb0TSsxTZMRsbffuSDZ3k6VxT3jve7qgme1Xsl3lds5l09syZZN8eon2xT 2S8JVobygoKDNndysZKUSF6a3U3W5Qpf31sR+s/l/WxBez4wEWcu8XfLLwpchi2jKffpGQrFvTCl 5BwI7P53NaHrX+o3IIMayIaZn5efM/Tgi8Ku1Gnx+eieD50H8ZFTScPadAGTuvhPDqxbkoAjFr+v W8QmifSrYeay7xPUxUjBgZ6k0XAhO9kBxiBxPXYtTgqF/vnMDp3ww5TW5auuyqwWwOatMLJsJiFn nc0+fS6HVjuNDkrtbwqMqUOaiam6umPyIu1Zy4z/OKLMmcuvYJ8Zxb++g4phxzL6X/7E7R+uOzC1 1FuUyAxq/Tk+dzsrJYPHB6ZC6jCCB20wggVVoAMCAQICEBcQPt49ihy1ygZRk+fKQ2swDQYJKoZI hvcNAQELBQAwazELMAkGA1UEBhMCSVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlz IFMucC5BLi8wMzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290 IENBMB4XDTIwMDcwNjA4NDU0N1oXDTMwMDkyMjExMjIwMlowgYExCzAJBgNVBAYTAklUMRAwDgYD VQQIDAdCZXJnYW1vMRkwFwYDVQQHDBBQb250ZSBTYW4gUGlldHJvMRcwFQYDVQQKDA5BY3RhbGlz IFMucC5BLjEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzMwggIi MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDt5oeWocGktu3CQlX3Pw8PImBfE+CmQ4iGSZF5 HBsvGlAP3EYB7va6OobMUWHvxA+ACHEpWq0YfNh6rRUlULOGcIpEFtVf4nAiEvdQtiFQBmtWJSn3 naoMHqpMvmwZ4lL0Xr1U9JHmTqkU3DuYcNNO3S+hYWDZpWQbeSGibNVeiJ4kY6JDh0fvqloK1Bsu S3n2OgArPYGfAYtDjCvT2d+6Ym3kArHZjEcrZeBI+yVVnjPwbTSCKax8DtS2NP/CJ6RjpnRvuSwu sRy84OdwdB71VKs1EDXj1ITcCWRZpkz+OhV6L8Zh+P0rmOSJF6KdHiaozfncURx4s54GFJNRGkx1 DnCxcuL0NJMYG42/hrDYOjNv+oGWSEZO/CT3aaLSMB5wTbZKfcD1R+tTanXD+5Gz5Mi15DTE7QH8 naZjZxqqhyxL1KyuIgaVDxvQtPSjo5vTsoa09rn+Ui8ybHnvYO/a/68OIQIHLGbUd2COnwm0TiZ3 Jg/oYGxwnJPvU1nDXNcecWTIJvFF5qD2ppJH3HgJVVePUEOY1E4Kp3k0B8hdRdhMV5n+O6RCKCTF cZaESF8sELgdrqnCLPP1+rX7DA8pxZoX0/9Jk64EOsbfQyLIJlrrob2YS0Xlku6HisZ8qrHLhnkz F5y7O34xmatIp8oZ5c54QP+K5flnTYzWjuIxLwIDAQABo4IB9DCCAfAwDwYDVR0TAQH/BAUwAwEB /zAfBgNVHSMEGDAWgBRS2Ig6yJ94Zu2J83s4cJTJAgI20DBBBggrBgEFBQcBAQQ1MDMwMQYIKwYB BQUHMAGGJWh0dHA6Ly9vY3NwMDUuYWN0YWxpcy5pdC9WQS9BVVRILVJPT1QwRQYDVR0gBD4wPDA6 BgRVHSAAMDIwMAYIKwYBBQUHAgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9h ZDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwgeMGA1UdHwSB2zCB2DCBlqCBk6CBkIaB jWxkYXA6Ly9sZGFwMDUuYWN0YWxpcy5pdC9jbiUzZEFjdGFsaXMlMjBBdXRoZW50aWNhdGlvbiUy MFJvb3QlMjBDQSxvJTNkQWN0YWxpcyUyMFMucC5BLiUyZjAzMzU4NTIwOTY3LGMlM2RJVD9jZXJ0 aWZpY2F0ZVJldm9jYXRpb25MaXN0O2JpbmFyeTA9oDugOYY3aHR0cDovL2NybDA1LmFjdGFsaXMu aXQvUmVwb3NpdG9yeS9BVVRILVJPT1QvZ2V0TGFzdENSTDAdBgNVHQ4EFgQUvpepqoS/gL8QU30J MvnhLjIbz3cwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAmm+cbWQ10sxID6edV 94SAhc1CwzthHFfHpuYS30gisWUfWpgp43Dg1XzG2in3VGV7XrzCCGZh4JM/XQWp+4oxmyV42Qjz 9vc8GRksgo6X2nYObPYZzQjda9wxsCB38i4G3H33w8lf9sFvl0xm4ZXZ2s2bF/PdqvrK0ZgvF51+ MoIPnli/wJBw3p72xbk5Sb1MneSO3tZ293WFzDmz7tuGU0PfytYUkG7O6annGqbU1I6CA6QVKUqe FLPodSODAFqJ3pimKD0vX9MuuSa0QinH7CkiPtZMD0mpwwzIsnSs3qOOl60tIZQOTc0I6lCe1LLh rz7Q75J6nNL9N5zVwZ1I3o2Lb8Dt7BA13VFuZvZIzapUGV83R7pmSVaj1Bik1nJ/R393e6mwppsT 140KDVLh4Oenywmp2VpBDuEj9RgICAO0sibv8n379LbO7ARa0kw9y9pggFzN2PAX25b7w0n9m78k pv3z3vW65rs6wl7E8VEHNfv8+cnb81dxN3C51KElz+l31zchFTurD5HFEpyEhzO/fMS5AkweRJIz wozxNs7OL/S/SVTpJLJL1ukZ1lnHHX0d3xCzRy/5HqfK3uiG22LPB5+RjNDobPAjAz2BKMfkF/+v 0pzn8mqqkopQaJzEAbLbMpgQYHRCjvrUxxwjJyUFb2Z+40UNtMF4MTK7zTGCAi0wggIpAgEBMIGW MIGBMQswCQYDVQQGEwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBp ZXRybzEXMBUGA1UECgwOQWN0YWxpcyBTLnAuQS4xLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1 dGhlbnRpY2F0aW9uIENBIEczAhBxSiUXWFjM7vxDKA6Ct/TYMA0GCWCGSAFlAwQCAQUAoGkwGAYJ KoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjMxMDE3MDc1NzMwWjAvBgkq hkiG9w0BCQQxIgQguJPok1XohOPpeTIrHCtkua2/UpWz6okpD4SfW+7UjAIwDQYJKoZIhvcNAQEB BQAEggEAa5HXOF64x79624+Igc1CB611mElvNuYRcePBp5RtqcVE0b20D/AzeeTcdAtqVEQd638S b1Zd8ENrcPP16vzGECBuB+FQ2CVqTZsTVyD20dTrAANaNZOweNvo8rPtO0ZwV15G30iiWv3ITU7m 8YcmQCfDZJpLDxBQoJmcYId/ccV36QicIxu42Wz1IVvxvzJEv+/3HQ0zuEP1bmO/mIxkShvzZ4xG Rttwb/qWI/SNEOjCqjHTgw488QSj12JsM/cd5/ZJsk0eZFzlACuMfJPDax+nl88FYsK8qb4pbbuS 6nz64hqxOvIfULIAkORyiJUvBL96qxmFVW4PpirvIP+eUwAAAAAAAA== --=-xUUFP+lWiCp2bDD4zJvY--