[<prev] [next>] [day] [month] [year] [list]
Message-ID: <d9ce583a-1a07-4e82-a519-f6122fe8180e@cpan.org>
Date: Thu, 5 Mar 2026 09:06:37 +0000
From: Robert Rothenberg <rrwo@...n.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-3381: Compress::Raw::Zlib versions through 2.219 for Perl
use potentially insecure versions of zlib
========================================================================
CVE-2026-3381 CPAN Security Group
========================================================================
CVE ID: CVE-2026-3381
Distribution: Compress-Raw-Zlib
Versions: through 2.219
MetaCPAN: https://metacpan.org/dist/Compress-Raw-Zlib
VCS Repo: https://github.com/pmqs/Compress-Raw-Zlib
Compress::Raw::Zlib versions through 2.219 for Perl use potentially
insecure versions of zlib
Description
-----------
Compress::Raw::Zlib versions through 2.219 for Perl use potentially
insecure versions of zlib.
Compress::Raw::Zlib includes a copy of the zlib library.
Compress::Raw::Zlib version 2.220 includes zlib 1.3.2, which addresses
findings fron the 7ASecurity audit of zlib. The includes fixs for
CVE-2026-27171.
Problem types
-------------
- CWE-1395 Dependency on Vulnerable Third-Party Component
Solutions
---------
Upgrade to Compress::Raw::Zlib 2.220 or later.
References
----------
https://metacpan.org/release/PMQS/Compress-Raw-Zlib-2.221/source/Changes
https://www.zlib.net/
https://github.com/madler/zlib
https://github.com/madler/zlib/releases/tag/v1.3.2
https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/
https://www.cve.org/CVERecord?id=CVE-2026-27171
Timeline
--------
- 2026-02-17: zlib 1.3.2 released.
- 2026-02-27: Compress::Raw::Zlib 2.220 released.
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
