[Bug 1729414] Re: zlib package in Ubuntu 14.04 LTS (Trusty) has not received patches for critical/high CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843
Marc Deslauriers
marc.deslauriers at canonical.com
Mon Nov 20 21:33:29 UTC 2017
We have rated these vulnerabilities as being "low" priority as the
undefined behaviour doesn't affect binaries built with gcc.
We will include them in a zlib security update if more important issues
need to be addressed.
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9840.html
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9841.html
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9842.html
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9843.html
** Changed in: zlib (Ubuntu)
Importance: Undecided => Low
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to zlib in Ubuntu.
https://bugs.launchpad.net/bugs/1729414
Title:
zlib package in Ubuntu 14.04 LTS (Trusty) has not received patches for
critical/high CVE-2016-9840, CVE-2016-9841, CVE-2016-9842,
CVE-2016-9843
Status in zlib package in Ubuntu:
Confirmed
Bug description:
The current package available to 14.04/trusty is 1:1.2.8.dfsg-1ubuntu1
which does not have the upstream fixes for the following CVEs:
* CVE-2016-9840 (high) (https://nvd.nist.gov/vuln/detail/CVE-2016-9840)
* CVE-2016-9841 (critical) (https://nvd.nist.gov/vuln/detail/CVE-2016-9841)
* CVE-2016-9842 (high) (https://nvd.nist.gov/vuln/detail/CVE-2016-9842)
* CVE-2016-9843 (critical) (https://nvd.nist.gov/vuln/detail/CVE-2016-9843)
Being that they are being categorized as such by NIST, it would be
very nice to get these fixes backported to Trusty or the most recent
version of zlib made available to Trusty.
Thanks!
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/zlib/+bug/1729414/+subscriptions
More information about the foundations-bugs
mailing list