CVE-2023-5678
rchincha opened this issue · comments
- I have read the SECURITY.md
- I understand that this repo tracks debian package releases and cannot fix debian CVEs on its own
- this CVE shows a fix is available in the appropriate debian version (buster, bullseye) and channel (main, security) and it has been more than 48 hours.
Please describe the image you encountered this with and a link to the debian security tracker
https://security-tracker.debian.org/tracker/CVE-2023-5678
There are no fixes available on debian11 or 12. You also have not included the image you are using. Please take some time to actually read the instructions before making a cve report.
This is tripping up CVE scanners. Why not just add a label "awaiting-upstream-triage/fix" etc?
Theres no actionable item here. Fundamentally distroless tracks debian and we don't patch. You can try debian 12 image (which has no openssl). But distroless comes with no contract, a contracted vendor like canonical, chainguard or redhat might provide you the fidelity of support you're looking for.
Our auto updater will pick up a fix as it is made available from debian which is why we have all those checkboxes. If you want to push for a fix, pushing on debian maintainers might be more fruitful