Hi Salvatore, I see in the latest secdb provided by Debian marks these are vulnerable, but ignored. Can Debian update documentation to make clear that open + ignored is a form of not-vulnerable? In my understanding, the term ignored does not imply that the vulnerability was not valid / did not apply.
Pulled from here: https://security-tracker.debian.org/tracker/data/json The data shows this as an open, unresolved vulnerability in Bookworm and Bullseye for zip. e.g. cat debian-security-tracker.json| jq '.zlib."CVE-2023-45853"' "releases": { "bookworm": { "status": "open", "repositories": { "bookworm": "1:1.2.13.dfsg-1" }, "urgency": "not yet assigned", "nodsa": "contrib/minizip not built and src:zlib not producing binary packages", "nodsa_reason": "ignored" }, "bullseye": { "status": "open", "repositories": { "bullseye": "1:1.2.11.dfsg-2+deb11u2", "bullseye-security": "1:1.2.11.dfsg-2+deb11u2" }, "urgency": "not yet assigned", "nodsa": "contrib/minizip not built and src:zlib not producing binary packages", "nodsa_reason": "ignored" }, I can always ask our vendors to re-examine, but it would be helpful if this was explicitly called out that it is ignored because it is not vulnerable as the package currently stands. > On Oct 27, 2024, at 2:13 AM, Salvatore Bonaccorso <[email protected]> wrote: > > Hi Mike, > > On Fri, Oct 25, 2024 at 08:42:28AM -0400, Mike Brancato wrote: >> Hello, >> >> Several security databases flag Debian Bookworm and Bullseye as vulnerable >> to a critical severity vulnerability in minizip as part of zlib. In the >> tracker for CVE-2023-45853, the notes seem to already capture that they are >> not vulnerable. But the table and the reported data shows vulnerable. >> >> The author has clarified multiple times that zlib is not vulnerable for >> these, and has stated there is no minizip code in these packages. The author >> also appears to have reached out to the Debian security team, and was >> rejected? Other distributions do not mark this code as vulnerable. >> >> If this *is* vulnerable, can the fix just be back ported to the version used >> in Bullseye and Bookworm? >> >> https://security-tracker.debian.org/tracker/CVE-2023-45853 >> >> https://github.com/madler/zlib/pull/843#issuecomment-1987681984 >> https://github.com/madler/zlib/pull/843#issuecomment-2010683088 >> https://github.com/madler/zlib/pull/843#issuecomment-2050417533 > > The tracking here is already correct. The shipped source is affected > but the security impact is not present, as binaries are not built. > this is already sufficiently reflected with the ignored note. > > Security-scanner often ignore this assessment, this might be why you > are asking? In such case ask your vendor of your security scanner to > include assessment of the <ignored> (explanation) tag. > > Thanks already, > Regards, > Salvatore
