Hi all,
I have just checked the change logs for the latest versions of zlib and libxml2 that I am building and they include fixes to the vulnerabilities flagged up in the clamav-0.105.1 announcement.
The vulnerability for zlib was already fixed in CU171 with the two patch files that Peter added. This patch set has now been integrated into the latest zlib.
The vulnerabilities for libxml2 have fixes for both CVE's in the latest version of libxml2 that was released on October 14th. Both of the CVE's are listed in the CVE website as reserved but with no details but clearly the info has been circulated to the zlib and libxml2 developers and fixes were made a while ago.
Not sure how to find out if CVE's have been raised on packages that IPFire is using so we can use any fixes developed as soon as possible. I knew about the issues with zlib and libxml2 because I saw the announcement of the clamav-0.105.1 release.
Anyway good news, the patches I will submit soon will contain the fixes to the CVE's mentioned in the clamav announcement.
Regards,
Adolf.
Great!
I suppose a lot of the confusion from the release announcement seems to come from clamav shipping copies of those libraries (at least I think they still do so).
So they will have to release another tarball with the bundled libraries even if they didn’t change anything. I consider this a really bad practise because that meant that Peter’s update zlib actually didn’t fix it for clamav.
In IPFire 3 we try to track bundled libraries, but it is manual effort which is not 100% accurate.
Ideal would be to always link against the “system version”. Sometimes the configure script hast a “—-with-system-zlib” switch, which should ALWAYS be used over the bundled version.
Best, -Michael
On 7 Nov 2022, at 20:51, Adolf Belka adolf.belka@ipfire.org wrote:
Hi all,
I have just checked the change logs for the latest versions of zlib and libxml2 that I am building and they include fixes to the vulnerabilities flagged up in the clamav-0.105.1 announcement.
The vulnerability for zlib was already fixed in CU171 with the two patch files that Peter added. This patch set has now been integrated into the latest zlib.
The vulnerabilities for libxml2 have fixes for both CVE's in the latest version of libxml2 that was released on October 14th. Both of the CVE's are listed in the CVE website as reserved but with no details but clearly the info has been circulated to the zlib and libxml2 developers and fixes were made a while ago.
Not sure how to find out if CVE's have been raised on packages that IPFire is using so we can use any fixes developed as soon as possible. I knew about the issues with zlib and libxml2 because I saw the announcement of the clamav-0.105.1 release.
Anyway good news, the patches I will submit soon will contain the fixes to the CVE's mentioned in the clamav announcement.
Regards,
Adolf.
-
Adolf Belka -
Michael Tremer