On 29.01.2025 3:35 PM, Hanno 'Rince' Wagner wrote:
The notes say: [bookworm] - zlib <ignored> (contrib/minizip not built and src:zlib not producing binary packages) In other words, there's no point in fixing it because Debian doesn't build the vulnerable binary component. Very low priority.so, this CVE is telling you about a bug which is not affecting Debians zlib1g since it doesn't build minizip.
I can still find "minizip" binary in bookworm which depends on "zlib1g". So what does it mean that "it doesn't build minizip"?
Thanks for trying and patience :-)
that is what your job is: finding out wether the bug is really affecting you and if so, how to mitigate it.
So, if I use "minizip" or any other package based on vulnerable "zlib1g" in bookworm, that may be a security risk, right?