Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-37434 (zlib) found on main #50

Closed
github-actions bot opened this issue Aug 12, 2022 · 8 comments
Closed

CVE-2022-37434 (zlib) found on main #50

github-actions bot opened this issue Aug 12, 2022 · 8 comments

Comments

@github-actions
Copy link

github-actions bot commented Aug 12, 2022

Failed run: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/2843580697
A new vulnerability for zlib 1.2.11 was found:
Vulnerability ID: CVE-2022-37434
Vulnerability URL: https://nvd.nist.gov/vuln/detail/CVE-2022-37434
Failed run: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/3333499796

@DanielRuf
Copy link

Link to discussion on the relevant commit for completeness: madler/zlib@eff308a

Needs clarification from maintainer and MITRE.

@mhdawson
Copy link
Member

@mscdex since you helped us move to the chromium implementation I wonder if you know how/when they would incorporte a fix for this ?

@mscdex
Copy link

mscdex commented Aug 19, 2022

@mhdawson You're probably better off asking the Chrome/Chromium team since they maintain the actual code. All I did was just extract their fork and create the gyp.

@RafaelGSS
Copy link
Member

@mhdawson could you give permissions to the Security-WG to this repo? I need to add the flag does-not-affect-nodejs

Node.js doesn't use the inflateGetHeader() method, therefore it's not affected. To follow the zlib update, see: nodejs/node#44412

@mhdawson
Copy link
Member

@RafaelGSS you should now have access. I changed core collaborators to read/write. Since the security-wg team has relatively open membership and we don't trim the members very often I'd prefer to give access to non core-collaborators on an individual basis as needed.

@mhdawson
Copy link
Member

@RafaelGSS thanks for checking. Hopefully you now have access to add that comment to the issues and mark with does-not-affect-nodejs

@Neustradamus
Copy link

To follow this ticket.

@RafaelGSS RafaelGSS added the main label Oct 24, 2022
@RafaelGSS RafaelGSS changed the title New vulnerability CVE-2022-37434 found on main CVE-2022-37434 (zlib) found on main Oct 27, 2022
@RafaelGSS
Copy link
Member

Fixed on nodejs/node#45387

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants