Well, not really what I meant in previous sentence.How does your "automatically scanned for possible vulnerabilites" actually work?I don't know, but it does not matter in that context.It does matter because you have to interpret the output of your scanner and understand it.
It does not matter "how does scanner *actually work*" (what
sources it gets, what filters it applies etc.), but I have to
properly interpret it's output - that's true.
So, I thought those two critical alarms are just false-alarms because they are already fixed in Debian (as usually, in normal security fixes, backports or whatever) - even if that's not reflected in the package main version number - so I can easily find an information about that on Debian pages. But I can't find it - worse - I found a confirmation that bookworm is vulnerable.
So now I suppose I just don't fully understand those information
I found, so that's why I ask you guys for help on this Debian user
mailing list.
This strange scanner found a CVE attached to minizip. minizip is part of zlib, but not supported. therefore, for debian it is no reason to provide a security fix since program (minizip) is not supported by the package zlib itself.
No. "Strange scanner" says that vulnerability is in "zlib1g" package (not minizip).
Based on that (described it in my first post) I found it's a Debian binary package from zlib which is vulnerable in bookworm. And that was surprise - that's it.
if you use such scanner, _you_ have to understand the output of the scanner, the CVE itself _and_ the impact on _your_ system. the scanner can only check a version number against a CVE. but what it means _in your situation_ is your responsibility, not debians, not the scanners.
Yes. But I'm not asking for "responsibility", but a bit more explanation without blaming anyone.
I'm not asking: "who is responsible for that, this package is not
fixed?"
I'm kindly asking "Is that true, that this package is still
vulnerable in bookworm? If not - please explain me how to properly
read all this information on Debian pages".
Anyway - thank you.
Best regards,Rafal