distroless icon indicating copy to clipboard operation
distroless copied to clipboard
verified publisher icon GoogleContainerTools

CVE-2023-24329

Open jonathannaguin opened this issue 1 year ago • 2 comments

  • [x ] I have read the SECURITY.md
  • [ x] I understand that this repo tracks debian package releases and cannot fix debian CVEs on its own
  • [ ] this CVE shows a fix is available in the appropriate debian version (buster, bullseye) and channel (main, security) and it has been more than 48 hours.

Please describe the image you encountered this with and a link to the debian security tracker https://security-tracker.debian.org/tracker/CVE-2023-24329

The stable version for Python11 in Debian 12 is 3.11.2, although 3.11.8 is available as "unstable". I am unsure how Debian tags packages but found some old threads where seem to indicate stable will never change for that release which would leave this CVE on the Distroless images until Debian trixie comes along.

jonathannaguin avatar Mar 06 '24 12:03 jonathannaguin

Yeah that's kind of an unfortunate side effect of tracking debian. This seems like a minor update on the version number though, and maybe the fix will come?

loosebazooka avatar Apr 29 '24 16:04 loosebazooka

Apparently they backported the fix: See #1613

JasperJuergensen avatar Jul 01 '24 14:07 JasperJuergensen