Bug#992115:
Just to give a bit of context:
One of the problem publishing severities as-is is looking less secure
while actually not true.
For example publishing docker images to quay.io for several distribution
will make debian look worse than others.
| Tag | Last Modified |
Security Scan |
-----------------------------------------------------------
| ubuntu-20.04-java | an hour ago | 5 Medium |
| debian-11-java | 2 hours ago | 1
High |
| centos-7 | 6 hours ago |
Passed |
Here debian reports
https://security-tracker.debian.org/tracker/CVE-2021-33574 as High but
this CVE only seem to affect glibc 2.32 & 2.33 while all versions of
debian (but sid) have 2.31 or earlier so shouldn't be affected.
RedHat/Fedora bug tracker clearly stated that and Ubuntu has the CVE in
"Triage" status so it doesn't show up in the scan report in quay.io (and
I guess in many other scanning tool which rely on distribution security
bug trackers)
Reply to: