• I have read the SECURITY.md
• I understand that this repo tracks debian package releases and cannot fix debian CVEs on its own
• this CVE shows a fix is available in the appropriate debian version (buster, bullseye) and channel (main, security) and it has been more than 48 hours.

Please describe the image you encountered this with and a link to the debian security tracker
https://security-tracker.debian.org/tracker/CVE-2023-4911

trivy detected in libc6 of image of gcr.io/distroless/java17-debian11:latest, it still has CVE-2023-4911

Total: 1 (HIGH: 1, CRITICAL: 0)

libc6 │ CVE-2023-4911 │ HIGH │ fixed │ 2.31-13+deb11u6 │ 2.31-13+deb11u7 │ buffer overflow in ld.so leading to privilege escalation https://avd.aquasec.com/nvd/cve-2023-4911

Looks like this was very recently available in debian security snapshots. I'll run the updater again

This update already happened in #1419

actually I'm not sure what trivy is doing here. If you use gcr.io/distroless/java17-debian11:latest-amd64 it's fine. I can't tell if the scanner is misbehaving or our image index is wrong?

Never mind it looks like everything is working fine, are you sure your image is up to date?

My testing reveals this isn't a problem. But please reopen if after updating to the newest latest, you are still seeing this:

gcr.io/distroless/java17-debian11@sha256:02da3336c22a538c37084e293d13b69bf1bee1f6058404cef28192aa667d19d2

Also, debian12 builds are available now. It might be a good time to update your build to gcr.io/distroless/java17-debian12

with the latest image, now the CVE is no more existing, thanks for your suggestion