On 29.01.2025 3:35 PM, Hanno 'Rince' Wagner wrote:
The notes say:
[bookworm] - zlib <ignored> (contrib/minizip not built and src:zlib not
producing binary packages)
In other words, there's no point in fixing it because Debian doesn't build the
vulnerable binary component.
Very low priority.
so, this CVE is telling you about a bug which is not affecting Debians
zlib1g since it doesn't build minizip.
I can still find "minizip" binary in bookworm which depends on "zlib1g".
So what does it mean that "it doesn't build minizip"?
Thanks for trying and patience :-)
that is what your job is: finding out wether the bug is really
affecting you and if so, how to mitigate it.
So, if I use "minizip" or any other package based on vulnerable "zlib1g"
in bookworm, that may be a security risk, right?
