Re: docker.io update with no CVE
Hi,
On Thu, Feb 27, 2025 at 03:33:00PM +0100, Daniel Leidert wrote:
> Am Donnerstag, dem 27.02.2025 um 11:49 +0100 schrieb Marc SCHAEFER:
> >
> > There is a docker.io upgrade for bullseye:
> >
> > https://security-tracker.debian.org/tracker/TEMP-0000000-7C9547
> >
> > However, it was not yet announced, if I am not mistaken.
> >
> > Is this because of a responsible disclosure policy?
> >
> > $ dpkg -s docker.io|grep Version
> > Version: 20.10.5+dfsg1-1+deb11u3
> >
> > $ apt-cache show docker.io | grep Version | head
> > Version: 20.10.5+dfsg1-1+deb11u4
> >
> > Manually downloading, the changelog says:
> >
> > docker.io (20.10.5+dfsg1-1+deb11u4) bullseye-security;
> > urgency=medium
> >
> > * LTS Team upload.
> > * Rebuild with golang-glog 0.0~git20160126.23def4e-3+deb11u1.
> > * No source changes.
> >
> > Does that mean that it actually would fix a go issue that docker.io
> > uses?
>
> I think this relates to DLA-4056-1. According to a recent discussion,
> there should probably be separate DLAs for affected and updated
> packages like docker.io (there were more). I'll forward this to the LTS
> team's list.
Golang and rust are complicated lands in this regards. For the
packages rebuild due to a fix needed in golang-glog the package might
just be mentioned in the respective advisory text (or say that there
are packages required rebuild). But they are not tracked as it's not a
fix in that respective source package done.
Cf. https://lists.debian.org/debian-lts-announce/2025/02/msg00019.html
Regards,
Salvatore
Reply to: