beast icon indicating copy to clipboard operation
beast copied to clipboard

Published 20 hours ago verified publisher icon boostorg

Boost and ZLib vulnerabilty CVE-2018-25032

Open etiennearnal opened this issue 3 years ago • 2 comments

Hi Boost community,

I detected (using FNCI reports) that boost rely on ZLib 1.2.11 in libs/beast/test and tools/boost_install/test. Recently ZLib was updated to version 1.2.12 to fix a vulnerability (CVE-2018-25032), more informations in this article. There is any plan to use this new version ?

Thanks,

Etienne

etiennearnal avatar Jun 24 '22 07:06 etiennearnal

Beast already updated that https://github.com/boostorg/beast/pull/2489, but it wasn't merged in time for the 1.80 release.

Next Beast release will have the change.

I cannot speak for tools/boost_install (or whether that detection represents an actual dependency).

sehe avatar Jul 31 '22 01:07 sehe

If you can grab the develop branch of beast for now, it has the fix.

vinniefalco avatar Jul 31 '22 02:07 vinniefalco

merged? can this be closed?

klemens-morgenstern avatar Sep 24 '22 04:09 klemens-morgenstern

Verify that the fix is in, that the CHANGELOG has it, and that the in-progress release notes for Boost has it, and then close it.

vinniefalco avatar Sep 25 '22 00:09 vinniefalco

Fixed in https://github.com/boostorg/beast/commit/ca824f607ccab6682b955eb91ed49753e6433069 and https://github.com/boostorg/beast/commit/925043e1e8df7474165f23c9a60223b0ab886be4. Mentioned in the CHANGELOG: https://github.com/boostorg/beast/blob/d0dd9c50694bcbb8836775e780eb046f66b3e1d7/CHANGELOG.md?plain=1#L157

ashtum avatar Jan 04 '24 13:01 ashtum