Update zlib to 1.3.1 to fix CVE-2023-45853 #3172
Comments
skurni
added
the
state/needs-triage
|
@skurni Thanks for opening this issue. I didn't spend a ton of time researching the CVE but it looks like it's for minizip. If that's the case, then I believe Nokogiri is not vulnerable because it doesn't use minizip (libxml2 links against zlib but not minizip). I get that some scanners may flag this version of zlib because the distro contains a vulnerable version of minizip, though. Is that the case for you? Can you say more about why you'd like a release made? |
**What problem is this PR intended to solve?** Update vendored zlib to 1.3.1. See #3172 Please note that Nokogiri is not vulnerable to the CVE patched in this version of zlib (which is related to the minizip library, which is not used by Nokogiri or its vendored libraries).
**What problem is this PR intended to solve?** Update vendored zlib to 1.3.1. See #3172 Please note that Nokogiri is not vulnerable to the CVE patched in this version of zlib (which is related to the minizip library, which is not used by Nokogiri or its vendored libraries).
|
Done, released in 1.16.4 https://github.com/sparklemotion/nokogiri/releases/tag/v1.16.4 |
|
I didn't have a good understanding of how zlib is being used. That's why posted here if it's possible to upgrade. I first should have checked/asked if nokogiri is affected or not by this CVE before asking for upgrade. Thanks for doing this release @flavorjones. Yes, they are being picked up by the security scanners because of the above CVE and high score of 9.8 and nokogiri being direct dependency of rails(actionpack). |
Hi team,
zlib has released version 1.3.1 which contains a fix for CVE-2023-45853. See madler/zlib#868. Is it possible to update the same in nokogiri? I see that it is pointing to 1.3 in dependencies.yml.
The text was updated successfully, but these errors were encountered: