Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-37434 (zlib) found on main #50

Closed
github-actions bot opened this issue Aug 12, 2022 · 8 comments
Closed

CVE-2022-37434 (zlib) found on main #50

github-actions bot opened this issue Aug 12, 2022 · 8 comments
Labels
dont-believe-affects-nodejs main

Comments

@github-actions
Copy link

github-actions bot commented Aug 12, 2022
edited by RafaelGSS

Failed run: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/2843580697
A new vulnerability for zlib 1.2.11 was found:
Vulnerability ID: CVE-2022-37434
Vulnerability URL: https://nvd.nist.gov/vuln/detail/CVE-2022-37434
Failed run: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/3333499796
@RafaelGSS RafaelGSS mentioned this issue Aug 16, 2022
Closed
@DanielRuf
Copy link

Link to discussion on the relevant commit for completeness: madler/zlib@eff308a

Needs clarification from maintainer and MITRE.

@mhdawson
Copy link
Member

@mscdex since you helped us move to the chromium implementation I wonder if you know how/when they would incorporte a fix for this ?

@mscdex
Copy link

mscdex commented Aug 19, 2022

@mhdawson You're probably better off asking the Chrome/Chromium team since they maintain the actual code. All I did was just extract their fork and create the gyp.

@RafaelGSS
Copy link
Member

@mhdawson could you give permissions to the Security-WG to this repo? I need to add the flag does-not-affect-nodejs

Node.js doesn't use the inflateGetHeader() method, therefore it's not affected. To follow the zlib update, see: nodejs/node#44412

@mhdawson
Copy link
Member

@RafaelGSS you should now have access. I changed core collaborators to read/write. Since the security-wg team has relatively open membership and we don't trim the members very often I'd prefer to give access to non core-collaborators on an individual basis as needed.

@mhdawson
Copy link
Member

@RafaelGSS thanks for checking. Hopefully you now have access to add that comment to the issues and mark with does-not-affect-nodejs

@mhdawson mhdawson mentioned this issue Aug 31, 2022
Closed
@Neustradamus
Copy link

To follow this ticket.

This was referenced Oct 20, 2022
Closed
Closed
@RafaelGSS RafaelGSS added the main label Oct 24, 2022
@RafaelGSS RafaelGSS changed the title New vulnerability CVE-2022-37434 found on main CVE-2022-37434 (zlib) found on main Oct 27, 2022
@RafaelGSS RafaelGSS mentioned this issue Oct 27, 2022
Closed
@mhdawson mhdawson mentioned this issue Oct 27, 2022
Closed
@RafaelGSS
Copy link
Member

Fixed on nodejs/node#45387

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dont-believe-affects-nodejs main
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mscdex @Neustradamus @DanielRuf @mhdawson @RafaelGSS