libc6 CVE patches - CVE-2023-6246 and CVE-2023-6779
eightseventhreethree opened this issue · comments
- I have read the SECURITY.md
- I understand that this repo tracks debian package releases and cannot fix debian CVEs on its own
- this CVE shows a fix is available in the appropriate debian version (buster, bullseye) and channel (main, security) and it has been more than 48 hours.
Please describe the image you encountered this with and a link to the debian security tracker
Images affected:
- gcr.io/distroless/java17-debian12:nonroot-amd64 (sha256:106384883fc9770cf02b81f4d45d3765512749cd48a003cfd8b8db7da3531290)
- gcr.io/distroless/cc-debian12:nonroot-amd64 (sha256:5d6be8eee3d5b11f184c5fd1e8aa5594491e6fda48fbed2282d44368fba0f240)
- gcr.io/distroless/nodejs20-debian12:nonroot-amd64 (sha256:51af63599b30070347b5852bef7d56cc9c89a6370cb7597e82779cdacb2ba8dc)
Security Tracker:
- https://security-tracker.debian.org/tracker/CVE-2023-6246
- https://security-tracker.debian.org/tracker/CVE-2023-6779
Current package is: 2.36-9+deb12u3
fix is in: 2.36-9+deb12u4
In addition the Security doc mentions that only Debian 11 (bullseye) is tracked, but I see debian12 packages in debian_archives.bzl.
In addition the Security doc mentions that only Debian 11 (bullseye) is tracked, but I see debian12 packages in debian_archives.bzl.
Ah good point, I should update that. It's a bit tricky to find the exact time a fix was produced (the 48 hours window for distroless), but we should automatically pick this up when we can.
It does look like our last update still used 2.36-9 from debian security snapshots though. It also look like tonight's update should pick it up.
See #1509
KK should be ready to update once the build completes -- status of build here: https://github.com/GoogleContainerTools/distroless/runs/21137038849
I'll close this for now