docker.io update with no CVE

To: debian-lts@lists.debian.org
Subject: docker.io update with no CVE
From: Marc SCHAEFER <schaefer@alphanet.ch>
Date: Thu, 27 Feb 2025 11:49:07 +0100
Message-id: <Z8BDI2n+suat/cn5@alphanet.ch>

Hello,

There is a docker.io upgrade for bullseye:

   https://security-tracker.debian.org/tracker/TEMP-0000000-7C9547

However, it was not yet announced, if I am not mistaken.

Is this because of a responsible disclosure policy?

$ dpkg -s docker.io|grep Version
Version: 20.10.5+dfsg1-1+deb11u3

$ apt-cache show docker.io | grep Version | head
Version: 20.10.5+dfsg1-1+deb11u4

Manually downloading, the changelog says:

   docker.io (20.10.5+dfsg1-1+deb11u4) bullseye-security; urgency=medium

     * LTS Team upload.
     * Rebuild with golang-glog 0.0~git20160126.23def4e-3+deb11u1.
     * No source changes.

Does that mean that it actually would fix a go issue that docker.io uses?

Aka this vulnerability:
   https://groups.google.com/g/golang-announce/c/H-Q4ouHWyKs

Thank you for clarification.

Reply to:

Follow-Ups:
- Re: docker.io update with no CVE
  - From: Daniel Leidert <dleidert@debian.org>

Prev by Date: Re: Please giveback emacs 1:27.1+1-3.1+deb11u6 on arm64
Next by Date: Re: Bug#1098775: bullseye-pu: package proftpd-dfsg/1.3.7a+dfsg-12+deb11u4
Previous by thread: Re: Please giveback emacs 1:27.1+1-3.1+deb11u6 on arm64
Next by thread: Re: docker.io update with no CVE
Index(es):
- Date
- Thread