cancel
Showing results forĀ 
ShowĀ Ā onlyĀ  | Search instead forĀ 
Did you mean:Ā 
kingraj
Level 3

Support for Zlib 1.3 for InstallShield 2022 R2 version

Hi Team,

Any plans to release a hotfix for InstallShield 2022 R2 version to support Zlib 1.3.

 

Labels (1)
0 Kudos
(10) Replies
shunt
Revenera Moderator Revenera Moderator
Revenera Moderator

Hi - We have plans to include zlib 1.3 with Installshield 2023 R2.

I hope this helps.

0 Kudos

Hi 

we have got one critical vulnerability in our application for Zlib(CVE-2023-45853). To fix that we needed hotfix or patch for InstallShield 2022 R2 version.  

0 Kudos
shunt
Revenera Moderator Revenera Moderator
Revenera Moderator

The CVE-2023-45853 vulnerability specifically targets minizips use of Long Filename, comment or extra field.
Installshield does not use comment and extra field and also does not have scenarios that leads to a long filenames.

Therefore the vulnerability reported in CVE-2023-45853 does not directly affect Installshield 2022R2

If you have been alerted to this through vulnerability scanning software and it is important for you to remove this from the scan report of the installer, then please upgrade to Installshield 2023 R2. This version of Installshield uses the later zlib 1.3 version.

0 Kudos

Thanks Shunt for the reply,

we have upgraded to 2023 R2 version, but the zlib version is showing 1.3 is that correct.

if so, we wanted an zlib 1.3.1 version. any plans for this upgrade.

In 2023 R2 release notes, Zlib version is mentioned as 1.3.0.1 this is same as 1.3 or 1.3.1 

please clarify on this.

 

 

 

 

0 Kudos

Hi @kingraj,

Thank you for your post.

Could you please clarify the business justification for needing zlib 1.3.1 to be included with InstallShield 2023 R2? My understanding is that the vulnerability that you mentioned, CVE-2023-45853, is resolved by zlib 1.3. So what is your reason for needing zlib 1.3.1? Could you please clarify and elaborate in more detail, so we can better understand this issue that you reported?

Please let us know if you have any questions or concerns. Thanks!

0 Kudos

Thanks @Revenera_Ian  

in the below link provided by zlib they are claiming to have fixed the issue in 1.3.1 

https://github.com/madler/zlib/issues/868

This is the confusion we are having whether the CVE which is CVE-2023-45853 got fixed in IS 2023R2 

Thanks,

Raghavendra

0 Kudos

You're welcome; we're happy to help. Thanks @raghupc

Yes, and what we're saying is that vulnerability CVE-2023-45853 is fixed in zlib 1.3, which is included in InstallShield 2023 R2. Please upgrade to InstallShield 2023 R2 to take advantage of this fix.

Please let us know if you have any questions or concerns. Thanks!

0 Kudos

@Revenera_Ian It got fixed in zlib 1.3.1, but IS 2023R2 is showing zlib 1.3.0.1 

both versions are different. If the CVE which is mentioned above got fixed in zlib 1.3.0.1 then we are good 

Thanks

0 Kudos

Thank you for clarifying @raghupc

I'm researching this issue for you, and I'll keep you posted.

Please let us know if you have any questions or concerns. Thanks!

0 Kudos

Hi @raghupc,

Thank you for your patience.

Based on our analysis, InstallShield is not susceptible to this vulnerability. We've published the following article to help address any concerns regarding this:

https://community.flexera.com/t5/InstallShield-Knowledge-Base/CVE-2023-45853-zlib-vulnerability-impact-on-InstallShield/ta-p/309926

Please let us know if you have any questions or concerns. Thanks!

0 Kudos