openjdk-17 CVE patches - CVE-2024-20918, CVE-2024-20932 and CVE-2024-20952
psilore opened this issue · comments
- I have read the SECURITY.md
- I understand that this repo tracks debian package releases and cannot fix debian CVEs on its own
- this CVE shows a fix is available in the appropriate debian version (buster, bullseye) and channel (main, security) and it has been more than 48 hours.
Please describe the image you encountered this with and a link to the debian security tracker
https://security-tracker.debian.org/tracker/CVE-XXXX-YYYYY
Images affected:
gcr.io/distroless/java17-debian12:nonroot
sha256:2cc5796fd98c8ec82626ac1857550afa3d975a30dd468e06e7df9372ed1d3c17
Security Tracker:
https://security-tracker.debian.org/tracker/CVE-2024-20952
https://security-tracker.debian.org/tracker/CVE-2024-20918
https://security-tracker.debian.org/tracker/CVE-2024-20932
Current package is: 17.0.9+9-1~deb11u1 fix is in: 17.0.10+7-1~deb11u1
my first post, please be gentle
it might not have passed 48 hours, not sure.....sorry
Should be merged and builds available soon. Typically a report like this is just extra work for us, they do not need to be reported. Dependencies updates are automatically generated -- the 48 hours is an important metric as debian snapshot updates take some time to propagate.