Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733])
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 5B261225BD9
	for <~alpine/users@lists.alpinelinux.org>; Tue, 17 Oct 2023 07:37:35 +0000 (UTC)
Received: by mail-qk1-x733.google.com with SMTP id af79cd13be357-77433d61155so369027685a.2
        for <~alpine/users@lists.alpinelinux.org>; Tue, 17 Oct 2023 00:37:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=whitesourcesoftware.com; s=google; t=1697528253; x=1698133053; darn=lists.alpinelinux.org;
        h=to:date:message-id:subject:mime-version:content-transfer-encoding
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=Rk1ZBjTZm7NYheLXQ5sQ4jj+wua+zA/WeZk8cBxd6LY=;
        b=PL0BGxZp+fKXrN0w/f2CEugWCe0ciXhMFQmV4GDGAfxceKiGjpxOtZu6NX4QXRpRY1
         ged1QuXR4d/9ffz/nSZic2eIUwGNIPayfCN3hWU3b7l7GziFRVnOXfnDI5kJZXm3MHlv
         ZnAwYLLQ4dh1g0xkyUHvNpnbVvqMdZNiKSXiiJ5SWbVzIp4CaZHy38Qjz2bey1/4la/q
         MGSn4nvozaCx4wVEd1b/iQrN1FaNPEXLfQ75qGbC3EK1ARCTWkmCgf8UMESK5fIvq4NI
         7KRsto9pA+wIFNqxgAvwvE+TEhkFL9X380ZC9Yc/m9qx7j1LRyiUPlfGCFZSCMmIUBDH
         MSWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1697528253; x=1698133053;
        h=to:date:message-id:subject:mime-version:content-transfer-encoding
         :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=Rk1ZBjTZm7NYheLXQ5sQ4jj+wua+zA/WeZk8cBxd6LY=;
        b=cC9pFuBlmMwoduaKHSzQGcsZBETGcdS+jo7qKTdL1GVCBEI3XFJgaHlRSGjsBLV055
         OmrqUn3KCVDmAjxrOSzlMSS1JywU9bSb8wH3uVvdtvTki+RAna8+WLkhujoNNj82lJSN
         Ra6fGWfaKfLA1XRyW/LZ9S2EMhEUbktFdG6Ty+5M60qdowJIlOp2qCGbPsvRS8PyE08I
         r91UzwSOwJkWUoMQk1nsLPw9aY4HPYtxEsbM7pDdOOpQWGs9YyufyxKDTWE3IjWq13uI
         Yka5JIdht58BQonZnd9ldb7UPMMk1v+4yfeF+wahKcEl2PkRbOpz1IeOPXUUdw+7/E9S
         7UKQ==
X-Gm-Message-State: AOJu0YwIIYtGSI1S0SqMSguSTEVUDPGHZgRhIqZWNW4aBbanJrmvRhc5
	it14nVBNQQnbxjRMhrmJCiReW2yoFa08wmYsXadntQ==
X-Google-Smtp-Source: AGHT+IGf23Hlm/FX8E8jjR3uK0i0ysueRsk1uZX/X86ujjvrRNJL0Ak/hl1wK8r9+6I7UpTYrNk0wQ==
X-Received: by 2002:a05:6214:1d21:b0:658:95e9:111d with SMTP id f1-20020a0562141d2100b0065895e9111dmr1820466qvd.12.1697528252804;
        Tue, 17 Oct 2023 00:37:32 -0700 (PDT)
Received: from smtpclient.apple (ec2-35-153-5-93.compute-1.amazonaws.com. [35.153.5.93])
        by smtp.gmail.com with ESMTPSA id dp20-20020a05621409d400b0066cf4fa7b47sm349851qvb.4.2023.10.17.00.37.31
        for <~alpine/users@lists.alpinelinux.org>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 17 Oct 2023 00:37:32 -0700 (PDT)
From: Dor Hayun <dor.hayun@whitesourcesoftware.com>
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.100.2.1.4\))
Subject: Inquiry Regarding Security Status and CVE-2022-37434 for zlib in
 Alpine Linux 3.8
Message-Id: <6368BBD7-FDDE-4217-90B9-E9886F7ECFA2@whitesourcesoftware.com>
Date: Tue, 17 Oct 2023 10:37:20 +0300
To: ~alpine/users@lists.alpinelinux.org
X-Mailer: Apple Mail (2.3774.100.2.1.4)



Dear Alpine Linux Team,

I trust this message finds you well. My name is Dor, and I am reaching =
out with a general inquiry about the security status of the zlib library =
in Alpine Linux version 3.8.

Recently, I have been working with a Docker image based on Alpine:3.8.5, =
and I observed that the zlib library version is reported as 1.2.11-r1. =
However, upon reviewing the Alpine Linux Security Advisories, I did not =
find any mention of CVE-2022-37434 for Alpine:3.8. It appears that the =
CVE has been addressed in Alpine Linux 3.11 and later versions.

To ensure a comprehensive understanding of the security posture of the =
zlib library in Alpine:3.8, I would appreciate it if you could shed some =
light on the following:

1. Is the zlib library in Alpine:3.8 considered not vulnerable to =
CVE-2022-37434? If so, could you provide some insights into the reasons =
behind this?

2. Are there plans to address this CVE specifically for Alpine:3.8, or =
has it been determined that the library in this version is not affected?

I believe that clarifying these points would be valuable not only for my =
use case but also for others in the community who may be working with =
Alpine:3.8 in their environments.

If possible, could you also provide an example or guidance on how users =
can verify the security status of a specific library in an Alpine Linux =
version to promote transparency and informed decision-making?

I appreciate your time and efforts in maintaining the security integrity =
of Alpine Linux. Thank you for your attention to this matter.

Best regards,

Dor H.=