Thank you very much.
Em sex., 20 de out. de 2023 às 10:56, Roberto C. Sánchez <robe...@debian.org> escreveu: > On Fri, Oct 20, 2023 at 10:33:03AM -0300, Marcio B. wrote: > > Hi > > I have the zlib1g 1:1.2.11.dfsg library installed on my Debian 11.8 > server > > and my vulnerability dashboard shows that the library has > CVE-2023-45853. > > You don't specify what vulnerability dashboard you are using. However, > in my experience most of them are close to worthless because they do a > poor job of properly assessing whether vulnerabilities are really > present. > > In any event, this is the Debian Security Tracker page for > CVE-2023-45853: > https://security-tracker.debian.org/tracker/CVE-2023-45853 > > It shows the vulnerability is currently present in all versions of > Debian. However, the CVE description at the top of the page includes > this: > > "NOTE: MiniZip is not a supported part of the zlib product." > > It is possible that either this vulnerability is not actually applicable > in the Debian package (e.g., if that particular capability is not built > into the Debian package) or that it is applicable but is considered of > minor impact by the Debian Security Team. > > Note that this particular CVE was only added to the Debian Security > Tracker on October 14th (in commit b34c32795) and that it likely still > under evaluation by the security team. > > > I would like if there is a patch for this vulnerability since there > is no > > candidate package for update. > > > If you have the bullseye-security source configured on your system and > you update regularly, then you will receive the updated package once it > is available. > > > If it doesn't exist, how could you check the impact of removing this > > package? > > The zlib1g packge has 'Priority: optional', so in theory you should be > able to remove it. However, in practice many packages depend on it so > the actual result depends greatly on what specific packages you have > installed in your system. Something like 'sudo apt-get remove zlib1g' > will calculate all the required removals, present them to you for > review, and then ask Y/N whether you want to remove them. There are > other ways to obtain this information, but that is probably the > simplest. > > Regards, > > -Roberto > > -- > Roberto C. Sánchez > >
