Hi @ll, this post is a continuation of <https://seclists.org/fulldisclosure/2023/Oct/17> and <https://seclists.org/fulldisclosure/2021/Oct/17>
With the release of .NET Framework 4.8 in April 2019, Microsoft updated the following paragraph of the MSDN article "What's new in .NET Framework" <https://msdn.microsoft.com/en-us/library/ms171868.aspx> | Starting with .NET Framework 4.5, the clrcompression.dll assembly uses | Zlib <https://zlib.net/>, a native external library for data compression, | in order to provide an implementation for the deflate algorithm. | The .NET Framework 4.8 version of clrcompression.dll is updated to use | ZLib Version 1.2.11, which includes several key improvements and fixes. According to the MSKB articles <https://support.microsoft.com/en-us/kb/4486081>, <https://support.microsoft.com/en-us/kb/4486105>, <https://support.microsoft.com/en-us/kb/4486129> and <https://support.microsoft.com/en-us/kb/4486153>, .NET Framework 4.8 is available for Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows 10 version 1607 and above, and Windows Server 2016 and above. According to the zlib change log <https://zlib.net/ChangeLog.txt>, 1.2.11 (January 15, 2017) was the current version then; later versions are - 1.2.12 (March 27, 2022), - 1.2.13 (October 13, 2022), - 1.3 (August 18, 2023), - 1.3.1 (January 22, 2024). Stupid^WSilly question: has Microsoft updated the zlib shipped with .NET Framework 4.8, either through cumulative updates or the release of .NET Framework 4.8.1 in August 2022 (see MSKB article https://support.microsoft.com/en-us/kb/5011048)? MOST OBVIOUS ANSWER: NO, OF COURSE NOT! .NET Framework 4.8.1 shipped with clrcompression.dll 4.8.9037.0, built June 24, 2022, 3 months after release of zlib 1.2.12; Microsoft continued to ship the SUPERCEDED zlib 1.2.11 until April 9, 2024, i.e. more than SEVEN years after its release! Several of the MSKB articles for the April 2024 cumulative updates for .NET Framework 4.x show the following telltale paragraph: | .NET Framework Defense in Depth Vulnerability | This security update addresses an issue where version of the | OSS zlib library is out of date. stay tuned, and far away from crap built with ROTTEN components Stefan Kanthak PS: to preserve your mental health, don't run the following commands: DIR /S "%SystemDrive%\clrcompression.dll" FINDSTR.exe /S "flate.1\.[1-9]\.[1-9]" "%SystemDrive%\clrcompression.dll" PPS: <https://download.microsoft.com/download/0/4/f/04f98ada-465c-4b46-8014-891619317b52/5036894.csv> | "curl.exe","8.4.0.0","05-Apr-2024","16:10","588,848" | "curl.exe","8.4.0.0","05-Apr-2024","16:10","471,600" | "curl.exe","8.4.0.0","05-Apr-2024","16:10","531,912" | "curl.exe","8.4.0.0","05-Apr-2024","17:49","601,544" | "curl.exe","8.4.0.0","05-Apr-2024","17:48","531,912" cURL 8.4.0 is more than six months old, and has 5 CVEs, all fixed since cURL 8.6.0, released January 31, 2024 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/