fsebugoutzone.org:9999

       Post Ac5hPs64KuEY8N0etU by broonie@mastodon.social
 (DIR) More posts by broonie@mastodon.social
 (DIR) Post #Ac3NqXxcvIr06OaEJE by joshbressers@infosec.exchange
       2023-11-22T01:06:28Z
       
       0 likes, 3 repeats
       
       A lot of folks are going to have a bad time with thishttps://nvd.nist.gov/vuln/detail/CVE-2023-45853It’s a critical #CVE in zlibExcept it’s not criticalAnd doesn’t affect zlibThe whole CVE system is too broken to fix
       
 (DIR) Post #Ac3z0nDYkXIEcXmi00 by lanodan@queer.hacktivis.me
       2023-11-22T11:20:36.526302Z
       
       0 likes, 0 repeats
       
       @joshbressers Except the actual true upstream of minizip is zlib.Source? Minizip&#39;s homepage. https://www.winimage.com/zLibDll/minizip.html
       
 (DIR) Post #Ac41Bv7BvaGCCvEvEO by erincandescent@queer.af
       2023-11-22T11:48:21Z
       
       0 likes, 0 repeats
       
       @lanodan @joshbressers it&#39;s in the zlib repo but not zlib the library
       
 (DIR) Post #Ac41Bw4ONTcDAWwCVU by lanodan@queer.hacktivis.me
       2023-11-22T11:54:20.524123Z
       
       0 likes, 0 repeats
       
       @erincandescent @joshbressers Meaning it&#39;s also in zlib tarballs and virtually all zlib distro packages (due to software depending on minizip), but it&#39;s just not in libz.so.
       
 (DIR) Post #Ac4JWcNwYffjNG5vE0 by joshbressers@infosec.exchange
       2023-11-22T14:46:08Z
       
       0 likes, 0 repeats
       
       @lanodan @erincandescent I&#39;ve yet to find minizip in any zlib packages (I&#39;m trying to find it)But even if it was there, you can make the argue this affects zlib, which is technically correctBut zlib is special, it&#39;s in literally every computing device on the planetThis is going to waste literally millions of dollars with people either patching to get rid of the vulnerability absolutists, or justifying why it&#39;s not a problem over and over againRigidly following rules and policy without exception either means your policy is terrible, or you don&#39;t understand what&#39;s going on (or both)Additionally, this shouldn&#39;t have a critical severity. So even if your broken policy makes you keep the data in the system, at least mark the severity appropriately
       
 (DIR) Post #Ac4JWdCHXVwDtNe7ge by lanodan@queer.hacktivis.me
       2023-11-22T15:19:37.602601Z
       
       0 likes, 0 repeats
       
       @joshbressers @erincandescent I have 0 interests in things like policies, only horses I care about in the race are distros, which are just going to patch a finite amount of packages and be done with it.As for distros I know have zlib package with minizip included: Gentoo (with USE=minizip), Alpine (one recipe/tarball + split minizip-* binary packages).(It&#39;s likely all distros)btw if you&#39;re wondering about software depending on zlib&#39;s minizip, see the &quot;Required by&quot; panel at https://pkgs.alpinelinux.org/package/edge/community/x86/minizip
       
 (DIR) Post #Ac5hPs64KuEY8N0etU by broonie@mastodon.social
       2023-11-22T23:21:50Z
       
       1 likes, 0 repeats
       
       @joshbressers @lanodan @erincandescent We package it in Debian and hence derivatives - it’s not in the zlib binary package but it is shipped as separate binary packages that do have a userbase.