Xamarin Forms zlib and coreclr Vulnerabilities Checks

[AnasMhaishHNC]

Hello,

We have run the BDBA scan on release packages for both UWP and Android to detect vulnerabilities. We are using Xamarin Forms 5.0.0.2337 with NETStandard.Library 2.0.3.

The BDBA scan found zlib v1.2.8 with the following vulnerabilities with these NVD vectors

• http://nvd.nist.gov/vuln/detail/CVE-2016-9840
• http://nvd.nist.gov/vuln/detail/CVE-2016-9841
• http://nvd.nist.gov/vuln/detail/CVE-2016-9842
• http://nvd.nist.gov/vuln/detail/CVE-2016-9843

And found coreclr v4.6.29713.02 and v4.5.30319.0 with the following vulnerabilities with these NVD vectors

• http://nvd.nist.gov/vuln/detail/CVE-2021-24111
• http://nvd.nist.gov/vuln/detail/CVE-2022-21911

Could you please let us know the road map for updating these libraries for vulnerabilities remediation?

If the road map is unclear yet, could you please provide us with the security risk and impacts that these vulnerabilities have, and if we can accept them.

Much Appreciated

[jfversluis]

Please review our security policy on how to navigate reporting this: https://github.com/xamarin/Xamarin.Forms/security/policy

From what I understand what I'm reading in your message none of these seem specific to Xamarin, but rather to the .NET framework as a whole.