Zlib CVE-2023-45853

mskalicky · May 22, 2024, 2:10pm

Hi,
the python package available in conda repos (including conda-forge) is depending on zlib <1.3 which is affected by CVE-2023-45853 which was published in October 2023.
Is there any plan to rebuild python in conda repo to use newer zlib?

I was able to find that CPython was rebuilding and backporting the changes even though they thought this CVE is not affecting them

github.com/python/cpython

Update Windows builds to use latest zlib

opened 12:05AM - 24 Oct 23 UTC

closed 03:23PM - 06 Feb 24 UTC

SharpMan

type-bug type-security build 3.11 3.10 3.9 3.8 3.12 3.13

# Bug report ### Bug description: A new version of zlib is out: 1.3 - https://…zlib.net/ zlib 1.2.13 has [CVE-2023-45853](https://nvd.nist.gov/vuln/detail/CVE-2023-45853) https://www.openwall.com/lists/oss-security/2023/10/20/9 minizip is part of the contrib directory in zlib, but we do not appear to use this API. The CVSS v3 score is 9.8. We would rather patch Python to use the latest library because people will ask us about that CVE. ### CPython versions tested on: 3.11, 3.12, 3.13 ### Operating systems tested on: Linux, Windows ### Linked PRs * gh-111242 * gh-114877 * gh-115076 * gh-115079 * gh-115080 * gh-115086 * gh-115087

Topic		Replies	Views
Current_repodata.json Seems to be Missing From Anaconda Packages Bugs & Issues	7	5655	November 9, 2022
CVE-2023-4863 "WebP / LibWebP" Fix Technical Topics	0	281	September 20, 2023
Update cadence for anaconda python packages Packages & Environments	1	383	June 9, 2023
Anaconda Professional Repository - Outdated packages Packages & Environments	1	260	November 22, 2023
Python 3.8 reaches end-of-life Announcements python	0	302	November 4, 2024

Zlib CVE-2023-45853

Related topics