openjdk-17 CVE patches - CVE-2024-20918, CVE-2024-20932 and CVE-2024-20952

Question

openjdk-17 CVE patches - CVE-2024-20918, CVE-2024-20932 and CVE-2024-20952

psilore opened this issue 4 months ago · comments

I have read the SECURITY.md
I understand that this repo tracks debian package releases and cannot fix debian CVEs on its own
this CVE shows a fix is available in the appropriate debian version (buster, bullseye) and channel (main, security) and it has been more than 48 hours.

Please describe the image you encountered this with and a link to the debian security tracker
https://security-tracker.debian.org/tracker/CVE-XXXX-YYYYY

Images affected:
gcr.io/distroless/java17-debian12:nonroot
sha256:2cc5796fd98c8ec82626ac1857550afa3d975a30dd468e06e7df9372ed1d3c17

Security Tracker:
https://security-tracker.debian.org/tracker/CVE-2024-20952
https://security-tracker.debian.org/tracker/CVE-2024-20918
https://security-tracker.debian.org/tracker/CVE-2024-20932

Current package is: 17.0.9+9-1~deb11u1 fix is in: 17.0.10+7-1~deb11u1

Erik Emmerfors · Answer 1 · Fri Feb 02 2024 19:56:44 GMT+0800 (China Standard Time)

my first post, please be gentle

Erik Emmerfors · Answer 2 · Fri Feb 02 2024 20:21:34 GMT+0800 (China Standard Time)

it might not have passed 48 hours, not sure.....sorry

Appu · Answer 3 · Sun Feb 04 2024 10:12:28 GMT+0800 (China Standard Time)

Should be merged and builds available soon. Typically a report like this is just extra work for us, they do not need to be reported. Dependencies updates are automatically generated -- the 48 hours is an important metric as debian snapshot updates take some time to propagate.