Was "CVE-2022-37434: zlib inflate issue" resolved in 2.4.1 NCPA release

[MrPippin66]

In NCPA 2.3.1, zlib version is 1.2.0.

If this was resolved in 2.4.1, can you please update the release notes?

[sawolf]

Hi @MrPippin66, thanks for reaching out. I believe the zlib that's shipped with NCPA 2.4.1 is the CentOS 7.9 package zlib-1.2.7-20 - it looks to me like Red Hat elected not to backport a fix for this package for RHEL 7, so it's unlikely that CentOS would have a fix either.

My plan for the moment is that I'm going to try to build the newest zlib (1.2.13) which addresses this, and package that into the updated release we're doing for the discussion on #920 - I will let you know the status of that when I have an update.

[MrPippin66]

Yes, Red Hat fixed this in RHEL8/9, but chose not to address RHEL7.

[MrPippin66]

FYI, and it's been requested in other issues, but it would be highly desirable for the release notes and/or RPM manifest to include the bundled library and module versions included in any future packages.

[sawolf]

The nightly build (https://assets.nagios.com/downloads/ncpa/nightly/ncpa-2.4.1-2.el9.x86_64.rpm or https://assets.nagios.com/downloads/ncpa/nightly/ncpa-2.4.1-2.el7.x86_64.rpm) is now built with zlib 1.2.13.

it would be highly desirable for the release notes and/or RPM manifest to include the bundled library and module versions included in any future packages

I can see where you're coming from - previously, the bundled versions would just always match the latest default packages for that specific distro. I'll see what I can do about getting the RPM manifest in order for NCPA 3.

[MrPippin66]

When is 2.4.2 expected to be formally released for these security fixes?

[MrPippin66]

@sawolf When can we expect an official 2.4.2 release?

[sawolf]

@MrPippin66 I wouldn't do a 2.4.2 release unless there were actual code changes in the repository. Since this issue was fixed by building NCPA within a different environment, we fixed this by updating the download links with a patched 2.4.1.