We are building our setup with InstallShield 2022 R1 Standalone Build.
BDBA scan of the generated MSI file reports CVE-2022-37434 for zlib 1.2.12 in the following files:
Is there a workaround to mitigate the CVE?
When does Revenera plan to migrate to latest zlib version?
This CVE reports that only apps that call zlib's 'inflateGetHeader' method are affected.
Neither InstallShield nor other third party components used in InstallShield are calling this method and therefore Installshield is not affected by this vulnerability.
I hope this helps.
Thanks for the information, which is fine to remediate the CVE for the cyber security report of our next release.
Could you anyway share some insights on the roadmap to migrate InstallShield to new zlib version?
Hello @shunt , On the similar lines, BDBA scan report of MSI built with IS2023R1 shows that zlib is detected for Binary.ISPrereqLauncher (Zlib 1.2.13), Binary.ISSetup.dll(no version) and Setup.exe (no version).
Would you let know the version of zlib used in Installshield 2023 R1 ? It would also be helpful if you could point to 'Non-Commercial Software Disclosures Form' if available for Installshield software.