• I have read the SECURITY.md
• I understand that this repo tracks debian package releases and cannot fix debian CVEs on its own
• this CVE shows a fix is available in the appropriate debian version (buster, bullseye) and channel (main, security) and it has been more than 48 hours.

Please describe the image you encountered this with and a link to the debian security tracker

Images affected:

• gcr.io/distroless/java17-debian12:nonroot-amd64 (sha256:106384883fc9770cf02b81f4d45d3765512749cd48a003cfd8b8db7da3531290)
• gcr.io/distroless/cc-debian12:nonroot-amd64 (sha256:5d6be8eee3d5b11f184c5fd1e8aa5594491e6fda48fbed2282d44368fba0f240)
• gcr.io/distroless/nodejs20-debian12:nonroot-amd64 (sha256:51af63599b30070347b5852bef7d56cc9c89a6370cb7597e82779cdacb2ba8dc)

Security Tracker:

• https://security-tracker.debian.org/tracker/CVE-2023-6246
• https://security-tracker.debian.org/tracker/CVE-2023-6779

Current package is: 2.36-9+deb12u3 fix is in: 2.36-9+deb12u4

In addition the Security doc mentions that only Debian 11 (bullseye) is tracked, but I see debian12 packages in debian_archives.bzl.

In addition the Security doc mentions that only Debian 11 (bullseye) is tracked, but I see debian12 packages in debian_archives.bzl.

Ah good point, I should update that. It's a bit tricky to find the exact time a fix was produced (the 48 hours window for distroless), but we should automatically pick this up when we can.

It does look like our last update still used 2.36-9 from debian security snapshots though. It also look like tonight's update should pick it up.

See #1509

KK should be ready to update once the build completes -- status of build here: https://github.com/GoogleContainerTools/distroless/runs/21137038849

I'll close this for now