Python CVE for 3.10 is found for Python 3.11

[gergelyfabian]

For CVE: https://scout.docker.com/vulnerabilities/id/CVE-2022-42919?s=ubuntu&n=python3.11&ns=ubuntu&t=deb&osn=ubuntu&osv=22.04&vr=%3E%3D0

I have Python 3.11 installed with:

add-apt-repository ppa:deadsnakes/ppa \
    && apt-get install -y python3.11 python3.11-venv python3.11-distutils \
    && python3.11 -m ensurepip \

Scout reports:

pkg:deb/ubuntu/[email protected]%2Bjammy1?os_distro=jammy&os_name=ubuntu&os_version=22.04

    ✗ HIGH CVE-2022-42919
      https://scout.docker.com/v/CVE-2022-42919
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 7.8                                           
      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  

This should not be reported as the CVE says nothing about Python 3.11, but:

Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux

[cdupuis]

Hi @gergelyfabian, does Ubuntu not list python 3.11 on Jammy at https://ubuntu.com/security/CVE-2022-42919?

[gergelyfabian]

Maybe it lists it, because there is no Python 3.11 on Ubuntu Jammy according to packages.ubuntu.com (but 3.10.6, that seems to be affected). According to the CVE's description this CVE is clearly for 3.9 and 3.10 and not 3.11.

Also, I have installed Python 3.11 on Jammy from a PPA.

[gergelyfabian]

I think this also may be a mistake on Ubuntu's side, as it should either say for Jammy, that Python 3.11 "Does not exist" or "Not vulnerable (3.11.0-3)"

[gergelyfabian]

Worked this around by upgrading to Ubuntu 24.04 image.