zlib cve

[mybigman]

./grype wolfi-base
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                                                                   wolfi-base:latest
 ✔ Parsed image                                             sha256:0f5f77c7949fc504af46c67b6ed6d44ad2a9a58b36a0d6ef7c5108f03a3e5553
 ✔ Cataloged packages              [29 packages]
 ✔ Scanned for vulnerabilities     [2 vulnerability matches]
   ├── by severity: 2 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 2 not-fixed, 0 ignored
NAME  INSTALLED  FIXED-IN  TYPE  VULNERABILITY   SEVERITY
zlib  1.3-r1               apk   CVE-2023-45853  Critical

[Neustradamus]

Linked to:

• https://github.com/madler/zlib/issues/868

[dlorenc]

We fixed this yesterday, the scanners might take a day or so to catch up: https://github.com/wolfi-dev/advisories/blob/main/zlib.advisories.yaml

[dlorenc]

https://github.com/wolfi-dev/os/commit/2a8d2cc795103e76ea65a06c18b421f09f2c0f75

If you have 1.3-r1 you should be fine!

[luhring]

Closing for now since scan results look clean, let me know if I missed something!

$ grype -q cgr.dev/chainguard/wolfi-base
No vulnerabilities found