Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 5B261225BD9 for <~alpine/users@lists.alpinelinux.org>; Tue, 17 Oct 2023 07:37:35 +0000 (UTC) Received: by mail-qk1-x733.google.com with SMTP id af79cd13be357-77433d61155so369027685a.2 for <~alpine/users@lists.alpinelinux.org>; Tue, 17 Oct 2023 00:37:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=whitesourcesoftware.com; s=google; t=1697528253; x=1698133053; darn=lists.alpinelinux.org; h=to:date:message-id:subject:mime-version:content-transfer-encoding :from:from:to:cc:subject:date:message-id:reply-to; bh=Rk1ZBjTZm7NYheLXQ5sQ4jj+wua+zA/WeZk8cBxd6LY=; b=PL0BGxZp+fKXrN0w/f2CEugWCe0ciXhMFQmV4GDGAfxceKiGjpxOtZu6NX4QXRpRY1 ged1QuXR4d/9ffz/nSZic2eIUwGNIPayfCN3hWU3b7l7GziFRVnOXfnDI5kJZXm3MHlv ZnAwYLLQ4dh1g0xkyUHvNpnbVvqMdZNiKSXiiJ5SWbVzIp4CaZHy38Qjz2bey1/4la/q MGSn4nvozaCx4wVEd1b/iQrN1FaNPEXLfQ75qGbC3EK1ARCTWkmCgf8UMESK5fIvq4NI 7KRsto9pA+wIFNqxgAvwvE+TEhkFL9X380ZC9Yc/m9qx7j1LRyiUPlfGCFZSCMmIUBDH MSWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697528253; x=1698133053; h=to:date:message-id:subject:mime-version:content-transfer-encoding :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Rk1ZBjTZm7NYheLXQ5sQ4jj+wua+zA/WeZk8cBxd6LY=; b=cC9pFuBlmMwoduaKHSzQGcsZBETGcdS+jo7qKTdL1GVCBEI3XFJgaHlRSGjsBLV055 OmrqUn3KCVDmAjxrOSzlMSS1JywU9bSb8wH3uVvdtvTki+RAna8+WLkhujoNNj82lJSN Ra6fGWfaKfLA1XRyW/LZ9S2EMhEUbktFdG6Ty+5M60qdowJIlOp2qCGbPsvRS8PyE08I r91UzwSOwJkWUoMQk1nsLPw9aY4HPYtxEsbM7pDdOOpQWGs9YyufyxKDTWE3IjWq13uI Yka5JIdht58BQonZnd9ldb7UPMMk1v+4yfeF+wahKcEl2PkRbOpz1IeOPXUUdw+7/E9S 7UKQ== X-Gm-Message-State: AOJu0YwIIYtGSI1S0SqMSguSTEVUDPGHZgRhIqZWNW4aBbanJrmvRhc5 it14nVBNQQnbxjRMhrmJCiReW2yoFa08wmYsXadntQ== X-Google-Smtp-Source: AGHT+IGf23Hlm/FX8E8jjR3uK0i0ysueRsk1uZX/X86ujjvrRNJL0Ak/hl1wK8r9+6I7UpTYrNk0wQ== X-Received: by 2002:a05:6214:1d21:b0:658:95e9:111d with SMTP id f1-20020a0562141d2100b0065895e9111dmr1820466qvd.12.1697528252804; Tue, 17 Oct 2023 00:37:32 -0700 (PDT) Received: from smtpclient.apple (ec2-35-153-5-93.compute-1.amazonaws.com. [35.153.5.93]) by smtp.gmail.com with ESMTPSA id dp20-20020a05621409d400b0066cf4fa7b47sm349851qvb.4.2023.10.17.00.37.31 for <~alpine/users@lists.alpinelinux.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Oct 2023 00:37:32 -0700 (PDT) From: Dor Hayun Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.100.2.1.4\)) Subject: Inquiry Regarding Security Status and CVE-2022-37434 for zlib in Alpine Linux 3.8 Message-Id: <6368BBD7-FDDE-4217-90B9-E9886F7ECFA2@whitesourcesoftware.com> Date: Tue, 17 Oct 2023 10:37:20 +0300 To: ~alpine/users@lists.alpinelinux.org X-Mailer: Apple Mail (2.3774.100.2.1.4) Dear Alpine Linux Team, I trust this message finds you well. My name is Dor, and I am reaching = out with a general inquiry about the security status of the zlib library = in Alpine Linux version 3.8. Recently, I have been working with a Docker image based on Alpine:3.8.5, = and I observed that the zlib library version is reported as 1.2.11-r1. = However, upon reviewing the Alpine Linux Security Advisories, I did not = find any mention of CVE-2022-37434 for Alpine:3.8. It appears that the = CVE has been addressed in Alpine Linux 3.11 and later versions. To ensure a comprehensive understanding of the security posture of the = zlib library in Alpine:3.8, I would appreciate it if you could shed some = light on the following: 1. Is the zlib library in Alpine:3.8 considered not vulnerable to = CVE-2022-37434? If so, could you provide some insights into the reasons = behind this? 2. Are there plans to address this CVE specifically for Alpine:3.8, or = has it been determined that the library in this version is not affected? I believe that clarifying these points would be valuable not only for my = use case but also for others in the community who may be working with = Alpine:3.8 in their environments. If possible, could you also provide an example or guidance on how users = can verify the security status of a specific library in an Alpine Linux = version to promote transparency and informed decision-making? I appreciate your time and efforts in maintaining the security integrity = of Alpine Linux. Thank you for your attention to this matter. Best regards, Dor H.=