Your message dated Wed, 17 Aug 2022 21:22:56 +0000 with message-id <e1ooqv6-00aafb...@fasolo.debian.org> and subject line Bug#1016710: fixed in zlib 1:1.2.11.dfsg-4.1 has caused the Debian Bug report #1016710, regarding zlib: CVE-2022-37434 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1016710: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016710 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: zlib Version: 1:1.2.11.dfsg-4 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1:1.2.11.dfsg-1 Control: found -1 1:1.2.11.dfsg-2+deb11u1 Hi, The following vulnerability was published for zlib. CVE-2022-37434[0]: | zlib through 1.2.12 has a heap-based buffer over-read or buffer | overflow in inflate in inflate.c via a large gzip header extra field. | NOTE: only applications that call inflateGetHeader are affected. Some | common applications bundle the affected zlib source code but may be | unable to call inflateGetHeader (e.g., see the nodejs/node reference). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-37434 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434 [1] https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 [2] https://github.com/ivd38/zlib_overflow Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: zlib Source-Version: 1:1.2.11.dfsg-4.1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of zlib, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1016...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated zlib package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 12 Aug 2022 22:15:03 +0200 Source: zlib Architecture: source Version: 1:1.2.11.dfsg-4.1 Distribution: unstable Urgency: medium Maintainer: Mark Brown <broo...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 1016710 Changes: zlib (1:1.2.11.dfsg-4.1) unstable; urgency=medium . * Non-maintainer upload. * Fix a bug when getting a gzip header extra field with inflate() (CVE-2022-37434) (Closes: #1016710) * Fix extra field processing bug that dereferences NULL state->head Package-Type: udeb Checksums-Sha1: e788bde095f81b5b2cb21a308b262fce03c03046 2881 zlib_1.2.11.dfsg-4.1.dsc 8b65188ca0b7db81f0d2181241e6cd6078a67f78 24052 zlib_1.2.11.dfsg-4.1.debian.tar.xz Checksums-Sha256: aeb102797f718f2f9bcd090b233dcfaa6a43bd0d7e0148a2d880822406c89728 2881 zlib_1.2.11.dfsg-4.1.dsc 6136b2cc6483c27eec681f995864f1876c4765e69ad9c9c61d9cd62a86104e4d 24052 zlib_1.2.11.dfsg-4.1.debian.tar.xz Files: c17267d03d107fff399e23256d5c65f9 2881 libs optional zlib_1.2.11.dfsg-4.1.dsc 3f999d9728092fc90171cd0b2d9c2ae1 24052 libs optional zlib_1.2.11.dfsg-4.1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmL2vBFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EoDYP/3jFQ/DraaABL1Up42uBtrW/SNz6Z/PE xP+Z/QI/covRFnx3Tv7yQmm1DARq6VqdCTsFHBmyFSbJI4vp8ftCewqwrW39+4wC JPIeatxySXw9W7jFytPMfGmyEIgoA6ijVMX95aYCSJFFTfinEQzGct5gZ6mf6n2K 3s80+ocxfJ80pkKVtJXUVghdlfGUAVqk+NTDEeGXmURvAyBmfgmZSqzGvG1O1iZ+ 16ZqlI6PgM5JSs7dNLP1CUgmoqSi8azzeE6XUTUAfrJ/qRdXimV/Ilr89bEp3zxT nWCWGMHalZhBoi0aEUY0JEsPxx1ohtZ2oRpcjvjWJBoHIHGammAdbnYDpYK+kQjl xqtI5ioqtBNOCFWlzbgDqhb8Xw2997q5fGqA2nQF/EDS93LT5X+Wb01rnjKqNhd1 RL5aLvPO9ik4NDJJBnsSBuumzM+M8boU13iRs6r2x0fpVbgxIUOiq3ZjX6KzTg/5 AAIKgiib4MuFX5+wh6EddVVUYdLZzhCAzN0d6vhBdBDvKk6QG0VrdFEqgjWABpR+ tTQYRV0HiNh1m7nJr23zae9XVGfUCOg0ES0fahxrKg9INkNx2I5jsrt73dm2eBXJ yl9iRBMTJWmnaBVpkKVOZcJQHIj+M7PcWO1d03nL3bjAHhzd0o3E0Uew6lsbJEwH g/QW/zOqCWmm =mrUG -----END PGP SIGNATURE-----
--- End Message ---
