Missing fix for CVE-2022-37434 in zlib1g in focal

Asked by Felix Herrmann

There is a crictical security issue with zlib tracked here [1]

As far as I can see, the newest version in bionic [2] already has a security patch for it but the one in the focal [3] does not, as far as I could gather from their respective changelogs in the right hand side panel.

Since zlib is loaded by lots of software, e.g. the apache weg server, this could be a problem. It seems that both focal as well as bionic use the same base zlib version (1.2.11), so maybe the patch there could be recycled?

Would it be possible to get a fix for the CVE in focal as well?

[1] CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-37434
[2] Bionic Package: https://packages.ubuntu.com/bionic/zlib1g
[3] Focal Package: https://packages.ubuntu.com/focal/zlib1g

Question information

English Edit question
Ubuntu zlib Edit question
No assignee Edit question
Solved by:
Felix Herrmann
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said :

It seems to me that what you wrote is completely true.

As far as i can see it is not only the case for focal, but also for jammy.

I suggest that you create a bug report with all information that you have already collected.

Revision history for this message
Felix Herrmann (felher) said :

Done! Thank you! I close this question then. Feel free to reopen if there is a policy of keeping both the question and the bug open until it is resolved.