poco
poco copied to clipboard
pocoproject
Update of libpng and zlib in component PDF
Hello,
we should update libpng, zlib sources which are part of component PDF because the current included versions has several CVEs. PDF in poco 1.13.3 uses:
- zlib 1.2.3
- libpng 1.2.24
||Severity||Vulnerability Id||CVSS 3 Score||Published|| |Critical|CVE-2022-37434|9,8|05.08.2022| |Critical|CVE-2010-1205|9,8|30.06.2010| |Critical|CVE-2017-12652|9,8|10.07.2019| |High|CVE-2011-2692|8,8|17.07.2011| |High|CVE-2016-10087|7,5|30.01.2017| |High|CVE-2015-8472|7,3|21.01.2016| |Medium|WS-2020-0368|6,5|22.02.2020| |Medium|CVE-2010-2249|6,5|30.06.2010| |Medium|CVE-2011-2501|6,5|17.07.2011| |Medium|CVE-2011-2691|6,5|17.07.2011| |Medium|CVE-2008-6218|5,9|20.02.2009| |Medium|CVE-2011-3048|5,6|29.05.2012| |Medium|CVE-2011-3045|5,6|22.03.2012| |Medium|CVE-2015-7981|5,3|24.11.2015| |Medium|CVE-2015-2158|4,9|06.10.2017| |Low|CVE-2010-0205|3,7|03.03.2010| |Low|CVE-2008-3964|3,7|11.09.2008| |Low|CVE-2012-3425|3,7|13.08.2012|
Maybe libharu 2.2.0 should be also updated.
Seems odd, that Poco::Foundation and Poco:PDF each contain different versions of zlib.
