~alpine/users

1

Inquiry Regarding Security Status and CVE-2022-37434 for zlib in Alpine Linux 3.8

Dor Hayun <dor.hayun@whitesourcesoftware.com>
Details
Message ID
<6368BBD7-FDDE-4217-90B9-E9886F7ECFA2@whitesourcesoftware.com>
DKIM signature
missing
Download raw message
6 months ago 

Dear Alpine Linux Team,

I trust this message finds you well. My name is Dor, and I am reaching out with a general inquiry about the security status of the zlib library in Alpine Linux version 3.8.

Recently, I have been working with a Docker image based on Alpine:3.8.5, and I observed that the zlib library version is reported as 1.2.11-r1. However, upon reviewing the Alpine Linux Security Advisories, I did not find any mention of CVE-2022-37434 for Alpine:3.8. It appears that the CVE has been addressed in Alpine Linux 3.11 and later versions.

To ensure a comprehensive understanding of the security posture of the zlib library in Alpine:3.8, I would appreciate it if you could shed some light on the following:

1. Is the zlib library in Alpine:3.8 considered not vulnerable to CVE-2022-37434? If so, could you provide some insights into the reasons behind this?

2. Are there plans to address this CVE specifically for Alpine:3.8, or has it been determined that the library in this version is not affected?

I believe that clarifying these points would be valuable not only for my use case but also for others in the community who may be working with Alpine:3.8 in their environments.

If possible, could you also provide an example or guidance on how users can verify the security status of a specific library in an Alpine Linux version to promote transparency and informed decision-making?

I appreciate your time and efforts in maintaining the security integrity of Alpine Linux. Thank you for your attention to this matter.

Best regards,

Dor H.
Josef Vybíhal <josef@vybihal.cz>
Details
Message ID
<43e15a743bd05b802b63228b47d98bcdc8cda18d.camel@vybihal.cz>
In-Reply-To
<6368BBD7-FDDE-4217-90B9-E9886F7ECFA2@whitesourcesoftware.com> (view parent)
DKIM signature
missing
Download raw message
6 months ago 
Hi, you might want use some non-ancient version if you are concerned
about security.

https://alpinelinux.org/releases/

J.

On Tue, 2023-10-17 at 10:37 +0300, Dor Hayun wrote:
> 
> 
> Dear Alpine Linux Team,
> 
> I trust this message finds you well. My name is Dor, and I am
> reaching out with a general inquiry about the security status of the
> zlib library in Alpine Linux version 3.8.
> 
> Recently, I have been working with a Docker image based on
> Alpine:3.8.5, and I observed that the zlib library version is
> reported as 1.2.11-r1. However, upon reviewing the Alpine Linux
> Security Advisories, I did not find any mention of CVE-2022-37434 for
> Alpine:3.8. It appears that the CVE has been addressed in Alpine
> Linux 3.11 and later versions.
> 
> To ensure a comprehensive understanding of the security posture of
> the zlib library in Alpine:3.8, I would appreciate it if you could
> shed some light on the following:
> 
> 1. Is the zlib library in Alpine:3.8 considered not vulnerable to
> CVE-2022-37434? If so, could you provide some insights into the
> reasons behind this?
> 
> 2. Are there plans to address this CVE specifically for Alpine:3.8,
> or has it been determined that the library in this version is not
> affected?
> 
> I believe that clarifying these points would be valuable not only for
> my use case but also for others in the community who may be working
> with Alpine:3.8 in their environments.
> 
> If possible, could you also provide an example or guidance on how
> users can verify the security status of a specific library in an
> Alpine Linux version to promote transparency and informed decision-
> making?
> 
> I appreciate your time and efforts in maintaining the security
> integrity of Alpine Linux. Thank you for your attention to this
> matter.
> 
> Best regards,
> 
> Dor H.
Reply to thread Export thread (mbox)