c code bundled in zlib is vulnerable

Closed this issue 4 years ago · 1 comments

vmchale commented 5 years ago

As I understand it, the bundled code is 1.2.8.

zlib 1.2.8 is vulnerable to several CVEs, viz. https://nvd.nist.gov/vuln/detail/CVE-2016-9843, https://nvd.nist.gov/vuln/detail/CVE-2016-9842, https://nvd.nist.gov/vuln/detail/CVE-2016-9841, and https://www.google.com/search?client=safari&rls=en&q=CVE-2016-9840&ie=UTF-8&oe=UTF-8

One can avoid this by setting the +pkg-config flag and using a later zlib, but the default build on Windows may be vulnerable.

hasufell commented 5 years ago

@hvr @dcoutts @cartazio