libc6 in image of gcr.io/distroless/java17-debian11:latest still has CVE-2023-4911
taotao100 opened this issue · comments
- I have read the SECURITY.md
- I understand that this repo tracks debian package releases and cannot fix debian CVEs on its own
- this CVE shows a fix is available in the appropriate debian version (buster, bullseye) and channel (main, security) and it has been more than 48 hours.
Please describe the image you encountered this with and a link to the debian security tracker
https://security-tracker.debian.org/tracker/CVE-2023-4911
trivy detected in libc6 of image of gcr.io/distroless/java17-debian11:latest, it still has CVE-2023-4911
Total: 1 (HIGH: 1, CRITICAL: 0)
libc6 │ CVE-2023-4911 │ HIGH │ fixed │ 2.31-13+deb11u6 │ 2.31-13+deb11u7 │ buffer overflow in ld.so leading to privilege escalation https://avd.aquasec.com/nvd/cve-2023-4911
Looks like this was very recently available in debian security snapshots. I'll run the updater again
This update already happened in #1419
actually I'm not sure what trivy is doing here. If you use gcr.io/distroless/java17-debian11:latest-amd64
it's fine. I can't tell if the scanner is misbehaving or our image index is wrong?
Never mind it looks like everything is working fine, are you sure your image is up to date?
My testing reveals this isn't a problem. But please reopen if after updating to the newest latest, you are still seeing this:
gcr.io/distroless/java17-debian11@sha256:02da3336c22a538c37084e293d13b69bf1bee1f6058404cef28192aa667d19d2
Also, debian12 builds are available now. It might be a good time to update your build to gcr.io/distroless/java17-debian12
with the latest image, now the CVE is no more existing, thanks for your suggestion