Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
zlib1g 1:1.2.11.dfsg
5 views
Skip to first unread message
Marcio B.
Oct 20, 2023, 9:40:06 AM10/20/23
to
Hi
I have the zlib1g 1:1.2.11.dfsg library installed on my Debian 11.8 server and my vulnerability dashboard shows that the library has CVE-2023-45853. I would like if there is a patch for this vulnerability since there is no candidate package for update.
If it doesn't exist, how could you check the impact of removing this package?
If it doesn't exist, how could you check the impact of removing this package?
Regards,
Márcio Bacci
Marcio B.
Oct 20, 2023, 9:50:07 AM10/20/23
to
Thank you very much.
How could I check the impact if I choose to remove this package?
Regards,
Márcio Bacci
Em sex., 20 de out. de 2023 às 10:40, Greg Wooledge <gr...@wooledge.org> escreveu:
On Fri, Oct 20, 2023 at 10:33:03AM -0300, Marcio B. wrote:
> I have the *zlib1g 1:1.2.11.dfsg* library installed on my Debian 11.8
> server and my vulnerability dashboard shows that the library has
> *CVE-2023-45853*. I would like if there is a patch for this vulnerability
> since there is no candidate package for update.
https://security-tracker.debian.org/tracker/CVE-2023-45853
When there's an update available, it'll show up here, among other
places.
Greg Wooledge
Oct 20, 2023, 9:50:07 AM10/20/23
to
On Fri, Oct 20, 2023 at 10:33:03AM -0300, Marcio B. wrote:
> I have the *zlib1g 1:1.2.11.dfsg* library installed on my Debian 11.8
> server and my vulnerability dashboard shows that the library has
> *CVE-2023-45853*. I would like if there is a patch for this vulnerability
> since there is no candidate package for update.
Roberto C. Sánchez
Oct 20, 2023, 10:00:06 AM10/20/23
to
On Fri, Oct 20, 2023 at 10:33:03AM -0300, Marcio B. wrote:
> Hi
> I have the zlib1g 1:1.2.11.dfsg library installed on my Debian 11.8 server
> and my vulnerability dashboard shows that the library has CVE-2023-45853.
You don't specify what vulnerability dashboard you are using. However,
> I have the zlib1g 1:1.2.11.dfsg library installed on my Debian 11.8 server
> and my vulnerability dashboard shows that the library has CVE-2023-45853.
in my experience most of them are close to worthless because they do a
poor job of properly assessing whether vulnerabilities are really
present.
In any event, this is the Debian Security Tracker page for
CVE-2023-45853:
https://security-tracker.debian.org/tracker/CVE-2023-45853
It shows the vulnerability is currently present in all versions of
Debian. However, the CVE description at the top of the page includes
this:
"NOTE: MiniZip is not a supported part of the zlib product."
It is possible that either this vulnerability is not actually applicable
in the Debian package (e.g., if that particular capability is not built
into the Debian package) or that it is applicable but is considered of
minor impact by the Debian Security Team.
Note that this particular CVE was only added to the Debian Security
Tracker on October 14th (in commit b34c32795) and that it likely still
under evaluation by the security team.
> I would like if there is a patch for this vulnerability since there is no
> candidate package for update.
>
you update regularly, then you will receive the updated package once it
is available.
> If it doesn't exist, how could you check the impact of removing this
> package?
able to remove it. However, in practice many packages depend on it so
the actual result depends greatly on what specific packages you have
installed in your system. Something like 'sudo apt-get remove zlib1g'
will calculate all the required removals, present them to you for
review, and then ask Y/N whether you want to remove them. There are
other ways to obtain this information, but that is probably the
simplest.
Regards,
-Roberto
--
Roberto C. Sánchez
David Wright
Oct 20, 2023, 10:00:06 AM10/20/23
to
On Fri 20 Oct 2023 at 10:45:24 (-0300), Marcio B. wrote:
> Thank you very much.
>
> How could I check the impact if I choose to remove this package?
$ apt-get -s purge zlib1g
> Thank you very much.
>
> How could I check the impact if I choose to remove this package?
Actually doing this will detroy your system. My (bullseye) system has
2057 packages installed. Purging zlib1g removes 1062 of them,
including 20 essential packages:
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
apt adduser (due to apt) gpgv (due to apt) libapt-pkg6.0 (due to apt) dash
dpkg (due to dash) debconf (due to dash) zlib1g (due to dpkg) grep
install-info (due to grep) gzip init systemd-sysv (due to init)
init-system-helpers (due to init) perl-base (due to init-system-helpers)
login libpam0g (due to login) libpam-runtime (due to login)
libpam-modules (due to login) util-linux
0 upgraded, 1 newly installed, 1062 to remove and 0 not upgraded.
Cheers,
David.
Marcio B.
Oct 20, 2023, 10:50:06 AM10/20/23
to
Thank you very much.
0 new messages