[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: zlib1g 1:1.2.11.dfsg

Thank you very much.



Em sex., 20 de out. de 2023 às 10:56, Roberto C. Sánchez <roberto@debian.org> escreveu:
On Fri, Oct 20, 2023 at 10:33:03AM -0300, Marcio B. wrote:
>    Hi
>    I have the zlib1g 1:1.2.11.dfsg library installed on my Debian 11.8 server
>    and my vulnerability dashboard shows that the library has CVE-2023-45853.

You don't specify what vulnerability dashboard you are using. However,
in my experience most of them are close to worthless because they do a
poor job of properly assessing whether vulnerabilities are really
present.

In any event, this is the Debian Security Tracker page for
CVE-2023-45853:
https://security-tracker.debian.org/tracker/CVE-2023-45853

It shows the vulnerability is currently present in all versions of
Debian. However, the CVE description at the top of the page includes
this:

"NOTE: MiniZip is not a supported part of the zlib product."

It is possible that either this vulnerability is not actually applicable
in the Debian package (e.g., if that particular capability is not built
into the Debian package) or that it is applicable but is considered of
minor impact by the Debian Security Team.

Note that this particular CVE was only added to the Debian Security
Tracker on October 14th (in commit b34c32795) and that it likely still
under evaluation by the security team.

>    I would like if there is a patch for this vulnerability since there is no
>    candidate package for update.
>
If you have the bullseye-security source configured on your system and
you update regularly, then you will receive the updated package once it
is available.

>    If it doesn't exist, how could you check the impact of removing this
>    package?

The zlib1g packge has 'Priority: optional', so in theory you should be
able to remove it. However, in practice many packages depend on it so
the actual result depends greatly on what specific packages you have
installed in your system. Something like 'sudo apt-get remove zlib1g'
will calculate all the required removals, present them to you for
review, and then ask Y/N whether you want to remove them. There are
other ways to obtain this information, but that is probably the
simplest.

Regards,

-Roberto

--
Roberto C. Sánchez

Reply to: