CVE-2023-5678

Question

CVE-2023-5678

rchincha opened this issue 7 months ago · comments

Ramkumar Chinchani commented 7 months ago

I have read the SECURITY.md
I understand that this repo tracks debian package releases and cannot fix debian CVEs on its own
this CVE shows a fix is available in the appropriate debian version (buster, bullseye) and channel (main, security) and it has been more than 48 hours.

Please describe the image you encountered this with and a link to the debian security tracker
https://security-tracker.debian.org/tracker/CVE-2023-5678

Appu · Answer 1 · Sat Nov 18 2023 08:13:26 GMT+0800 (China Standard Time)

There are no fixes available on debian11 or 12. You also have not included the image you are using. Please take some time to actually read the instructions before making a cve report.

Ramkumar Chinchani · Answer 2 · Sun Nov 19 2023 07:29:04 GMT+0800 (China Standard Time)

This is tripping up CVE scanners. Why not just add a label "awaiting-upstream-triage/fix" etc?

Appu · Answer 3 · Sun Nov 19 2023 07:46:12 GMT+0800 (China Standard Time)

Theres no actionable item here. Fundamentally distroless tracks debian and we don't patch. You can try debian 12 image (which has no openssl). But distroless comes with no contract, a contracted vendor like canonical, chainguard or redhat might provide you the fidelity of support you're looking for.

Appu · Answer 4 · Sun Nov 19 2023 07:47:13 GMT+0800 (China Standard Time)

Our auto updater will pick up a fix as it is made available from debian which is why we have all those checkboxes. If you want to push for a fix, pushing on debian maintainers might be more fruitful