Open njkwon-wavefin opened 3 months ago
Thanks for reporting this issue. The zilb version used is a copy of zlib-1.2.7-18.el7.aarch64.rpm vended from Centos which has been patched. The team will work on getting the files updated but this version is currently required to fully support all aarch64 platforms we currently distribute for. Also please note that the AWS CLI was not originally susceptible to the CVE in question here.
Describe the issue
The Linux ARM/aarch64 version of AWS CLI v2 in
2.17.18
haszlib 1.2.7
inlibz.so.1
zlib 1.2.8 has security vulnerability report on NIST and GitHub and 1.2.7 is also affected.
I am using Aqua scanner for security check and based on their report, the fixed version is 1.2.9 Do you have plan for updating zlib version 1.2.9 or above in libz.so.1?
Additional Information/Context
CVE-2016-9842 description : The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.
version in the aarch64
CLI version used
2.17.18
Environment details (OS name and version, etc.)
Linux ARM/aarch64