Closed karthik-chinta closed 2 years ago
palmerabollo
commented
2 years ago Thanks @karthik-chinta for raising this issue. I'm not aware of that dependency (madler-zlib). Do you know if it is a library included in alpine:3.15? If that's the case, updating the Dockerfile to a more recent version should be an easy change.
palmerabollo
commented
2 years ago I have just run an apk list and I can see zlib-1.2.12-r0 x86_64, so I think it is already ok. Please reopen if that's not the case.
/ # apk list
libretls-3.3.4-r3 x86_64 {libretls} (ISC AND (BSD-3-Clause OR MIT)) [installed]
musl-1.2.2-r7 x86_64 {musl} (MIT) [installed]
zlib-1.2.12-r0 x86_64 {zlib} (Zlib) [installed]
apk-tools-2.12.7-r3 x86_64 {apk-tools} (GPL-2.0-only) [installed]
musl-utils-1.2.2-r7 x86_64 {musl} (MIT BSD GPL2+) [installed]
libssl1.1-1.1.1n-r0 x86_64 {openssl} (OpenSSL) [installed]
alpine-baselayout-3.2.0-r18 x86_64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-keys-2.4-r1 x86_64 {alpine-keys} (MIT) [installed]
busybox-1.34.1-r5 x86_64 {busybox} (GPL-2.0-only) [installed]
scanelf-1.3.3-r0 x86_64 {pax-utils} (GPL-2.0-only) [installed]
ca-certificates-bundle-20211220-r0 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
libc-utils-0.7.2-r3 x86_64 {libc-dev} (BSD-2-Clause AND BSD-3-Clause) [installed]
ssl_client-1.34.1-r5 x86_64 {busybox} (GPL-2.0-only) [installed]
libcrypto1.1-1.1.1n-r0 x86_64 {openssl} (OpenSSL) [installed]
Hi,
A new vulnerability was reported on madler-zlib 1.2.11 library with the below problem. "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches".
As a resolution, this library need to be upgraded to 1.2.12 version. Can you help us in upgrading this library?
Regards. Karthik