On Wed, Jan 29, 2025 at 04:04:26PM +0100, Rafał Lichwała wrote: > > On 29.01.2025 3:35 PM, Hanno 'Rince' Wagner wrote: > > > The notes say: > > > [bookworm] - zlib <ignored> (contrib/minizip not built and src:zlib not > > > producing binary packages) > > > In other words, there's no point in fixing it because Debian doesn't > > > build the vulnerable binary component. > > > Very low priority. > > > > so, this CVE is telling you about a bug which is not affecting Debians > > zlib1g since it doesn't build minizip. > > I can still find "minizip" binary in bookworm which depends on "zlib1g". So > what does it mean that "it doesn't build minizip"? > > Thanks for trying and patience :-) > Yes, it still means that. The minizip binary package you are seeing comes from a different source package, also called minizip:
https://packages.debian.org/source/bookworm/minizip > > that is what your job is: finding out wether the bug is really > > affecting you and if so, how to mitigate it. > > So, if I use "minizip" or any other package based on vulnerable "zlib1g" in > bookworm, that may be a security risk, right? The minizip package in bookworm does not come from zlib1g, so this particular vulnerability still does not apply. Regards, -Roberto -- Roberto C. Sánchez
