M-Brig 0 Posted November 15 Hello, just a question in reference to the latest ICS FTP component, version 9.3 and ZLib. We have an older version of the component dated November 2013 and recently had a vulnerability test performed on our software. It flagged ZLib as a high vulnerable. After doing a search through all the XML files produced at compile time we noticed that the ICS FPT Client component uses Zlib . We are trying to eliminate these vulnerabilities in our software. Does anyone know if the latest version is vulnerable to these ZLib flags. Thanks for all your help. Share this post Link to post
DelphiUdIT 187 Posted November 15 (edited) If you refer to this notice of CVE: https://github.com/madler/zlib/issues/868 they have resolved with 1.3.1 version. And the new Delphi version use the right version: Edited November 15 by DelphiUdIT Share this post Link to post
Angus Robertson 577 Posted November 15 ICS V8.70 and later come with Zlib 1.2.12 for old Delphi releases, but automatically users the System.Zlib for Delphi 11.1 which had the same release, and newer releases hae newer Zlibs. Not planning to update the built-in version for old compilers, unless there is a serious issue. Angus Share this post Link to post
JonRobertson 72 Posted November 15 24 minutes ago, DelphiUdIT said: If you refer to this notice of CVE: https://github.com/madler/zlib/issues/868 they have resolved with 1.3.1 version. Although that probably does not affect Delphi apps that use zlib. CVE-2023-45853 was a vulnerability in the minizip code in the contrib folder, not the zlib source. Share this post Link to post
Angus Robertson 577 Posted November 15 There have been other CVEs in Zlib over the years, and we were slow to update our version, which is why ICS now uses the Delphi version, at least for those using recent Delphi versions. Angus Share this post Link to post