We have rated these vulnerabilities as being "low" priority as the undefined behaviour doesn't affect binaries built with gcc.
We will include them in a zlib security update if more important issues need to be addressed. https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9840.html https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9841.html https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9842.html https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9843.html ** Changed in: zlib (Ubuntu) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to zlib in Ubuntu. https://bugs.launchpad.net/bugs/1729414 Title: zlib package in Ubuntu 14.04 LTS (Trusty) has not received patches for critical/high CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843 Status in zlib package in Ubuntu: Confirmed Bug description: The current package available to 14.04/trusty is 1:1.2.8.dfsg-1ubuntu1 which does not have the upstream fixes for the following CVEs: * CVE-2016-9840 (high) (https://nvd.nist.gov/vuln/detail/CVE-2016-9840) * CVE-2016-9841 (critical) (https://nvd.nist.gov/vuln/detail/CVE-2016-9841) * CVE-2016-9842 (high) (https://nvd.nist.gov/vuln/detail/CVE-2016-9842) * CVE-2016-9843 (critical) (https://nvd.nist.gov/vuln/detail/CVE-2016-9843) Being that they are being categorized as such by NIST, it would be very nice to get these fixes backported to Trusty or the most recent version of zlib made available to Trusty. Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zlib/+bug/1729414/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
