.. _zlib-1.2.11: Zlib 1.2.11 =========== .. warning:: This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**. The `canonical database for vulnerabilities affecting Python `_ is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the `Open Source Vulnerability Database `_. These are the changes updating zlib from 1.2.8 to 1.2.10. It is only used when building without a system zlib. The new release includes fixes for security issues CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843. Note: Only Windows and macOS are affected by this issue. Linux packages use the system zlib. Dates: * Disclosure date: **2017-01-05** (Python issue bpo-29169 reported) * Reported at: 2017-01-02 (zlib 1.2.10 released) Fixed In -------- * Python **2.7.14** (2017-09-16) fixed by `commit 80b24a9 (branch 2.7) `_ (2017-01-31) * Python **3.4.8** (2018-02-04) fixed by `commit d0e61bd (branch 3.4) `_ (2017-08-16) * Python **3.5.4** (2017-08-07) fixed by `commit 34e7e2e (branch 3.5) `_ (2017-01-31) * Python **3.6.1** (2017-03-21) fixed by `commit 34e7e2e (branch 3.5) `_ (2017-01-31) * Python **3.7.0** (2018-06-27) fixed by `commit 34e7e2e (branch 3.5) `_ (2017-01-31) Python issue ------------ update zlib to 1.2.11. * Python issue: `bpo-29169 `_ * Creation date: 2017-01-05 * Reporter: Matthias Klose CVE-2016-9840 ------------- inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. * CVE ID: `CVE-2016-9840 `_ * Published: 2017-05-23 * `CVSS Score `_: 6.8 CVE-2016-9841 ------------- inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. * CVE ID: `CVE-2016-9841 `_ * Published: 2017-05-23 * `CVSS Score `_: 7.5 CVE-2016-9842 ------------- The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers. * CVE ID: `CVE-2016-9842 `_ * Published: 2017-05-23 * `CVSS Score `_: 6.8 CVE-2016-9843 ------------- The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation. * CVE ID: `CVE-2016-9843 `_ * Published: 2017-05-23 * `CVSS Score `_: 7.5 Timeline -------- Timeline using the disclosure date **2017-01-05** as reference: * 2017-01-02 (**-3 days**): Reported (zlib 1.2.10 released) * 2017-01-05: `Python issue bpo-29169 `_ reported by Matthias Klose * 2017-01-31 (**+26 days**): `commit 34e7e2e (branch 3.5) `_ * 2017-01-31 (**+26 days**): `commit 80b24a9 (branch 2.7) `_ * 2017-03-21 (**+75 days**): Python 3.6.1 released * 2017-05-23 (**+138 days**): CVE-2016-9840 published * 2017-05-23 (**+138 days**): CVE-2016-9841 published * 2017-05-23 (**+138 days**): CVE-2016-9842 published * 2017-05-23 (**+138 days**): CVE-2016-9843 published * 2017-08-07 (**+214 days**): Python 3.5.4 released * 2017-08-16 (**+223 days**): `commit d0e61bd (branch 3.4) `_ * 2017-09-16 (**+254 days**): Python 2.7.14 released * 2018-02-04 (**+395 days**): Python 3.4.8 released * 2018-06-27: Python 3.7.0 released Links ----- * https://nvd.nist.gov/vuln/detail/CVE-2016-9840/ * https://nvd.nist.gov/vuln/detail/CVE-2016-9841/ * https://nvd.nist.gov/vuln/detail/CVE-2016-9842/ * https://nvd.nist.gov/vuln/detail/CVE-2016-9843/