On Fri, Oct 20, 2023 at 10:33:03AM -0300, Marcio B. wrote: > Hi > I have the zlib1g 1:1.2.11.dfsg library installed on my Debian 11.8 server > and my vulnerability dashboard shows that the library has CVE-2023-45853.
You don't specify what vulnerability dashboard you are using. However, in my experience most of them are close to worthless because they do a poor job of properly assessing whether vulnerabilities are really present. In any event, this is the Debian Security Tracker page for CVE-2023-45853: https://security-tracker.debian.org/tracker/CVE-2023-45853 It shows the vulnerability is currently present in all versions of Debian. However, the CVE description at the top of the page includes this: "NOTE: MiniZip is not a supported part of the zlib product." It is possible that either this vulnerability is not actually applicable in the Debian package (e.g., if that particular capability is not built into the Debian package) or that it is applicable but is considered of minor impact by the Debian Security Team. Note that this particular CVE was only added to the Debian Security Tracker on October 14th (in commit b34c32795) and that it likely still under evaluation by the security team. > I would like if there is a patch for this vulnerability since there is no > candidate package for update. > If you have the bullseye-security source configured on your system and you update regularly, then you will receive the updated package once it is available. > If it doesn't exist, how could you check the impact of removing this > package? The zlib1g packge has 'Priority: optional', so in theory you should be able to remove it. However, in practice many packages depend on it so the actual result depends greatly on what specific packages you have installed in your system. Something like 'sudo apt-get remove zlib1g' will calculate all the required removals, present them to you for review, and then ask Y/N whether you want to remove them. There are other ways to obtain this information, but that is probably the simplest. Regards, -Roberto -- Roberto C. Sánchez
