On 29.01.2025 2:39 PM, Hanno 'Rince' Wagner wrote:
How does your "automatically scanned for possible vulnerabilites"
actually work?
I don't know, but it does not matter in that context.
It does matter because you have to interpret the output of your
scanner and understand it.
Well, not really what I meant in previous sentence.
It does not matter "how does scanner *actually work*" (what sources it
gets, what filters it applies etc.), but I have to properly interpret
it's output - that's true.
So, I thought those two critical alarms are just false-alarms because
they are already fixed in Debian (as usually, in normal security fixes,
backports or whatever) - even if that's not reflected in the package
main version number - so I can easily find an information about that on
Debian pages. But I can't find it - worse - I found a confirmation that
bookworm is vulnerable.
So now I suppose I just don't fully understand those information I
found, so that's why I ask you guys for help on this Debian user mailing
list.
This strange scanner found a CVE attached to minizip. minizip is part
of zlib, but not supported. therefore, for debian it is no reason to
provide a security fix since program (minizip) is not supported by the
package zlib itself.
No. "Strange scanner" says that vulnerability is in "zlib1g" package
(not minizip).
Based on that (described it in my first post) I found it's a Debian
binary package from zlib which is vulnerable in bookworm. And that was
surprise - that's it.
if you use such scanner, _you_ have to understand the output of the
scanner, the CVE itself _and_ the impact on _your_ system. the scanner
can only check a version number against a CVE. but what it means _in
your situation_ is your responsibility, not debians, not the scanners.
Yes. But I'm not asking for "responsibility", but a bit more explanation
without blaming anyone.
I'm not asking: "who is responsible for that, this package is not fixed?"
I'm kindly asking "Is that true, that this package is still vulnerable
in bookworm? If not - please explain me how to properly read all this
information on Debian pages".
Anyway - thank you.
Best regards,
Rafal
