Bug#992115:

To: "992115@bugs.debian.org" <992115@bugs.debian.org>
Subject: Bug#992115:
From: Alexandre Chapellon <alexandre.chapellon@alfresco.com>
Date: Wed, 8 Sep 2021 19:11:48 +0000
Message-id: <[🔎] 75d687b6-cdda-0ffd-7264-8983dc320076@alfresco.com>
Reply-to: Alexandre Chapellon <alexandre.chapellon@alfresco.com>, 992115@bugs.debian.org
References: <162871537635.43576.10180396018504685676.reportbug@hullmann.westfalen.local>

Just to give a bit of context:

One of the problem publishing severities as-is is looking less secure 
while actually not true.
For example publishing docker images to quay.io for several distribution 
will make debian look worse than others.

|             Tag                    |     Last Modified     |     
Security Scan      |
-----------------------------------------------------------
| ubuntu-20.04-java |     an hour ago        |       5 Medium            |
|      debian-11-java     |     2 hours ago        |            1 
High               |
|            centos-7           |    6 hours ago |          
Passed               |

Here debian reports 
https://security-tracker.debian.org/tracker/CVE-2021-33574 as High but 
this CVE only seem to affect glibc 2.32 & 2.33 while all versions of 
debian (but sid) have 2.31 or earlier so shouldn't be affected.

RedHat/Fedora bug tracker clearly stated that and Ubuntu has the CVE in 
"Triage" status so it doesn't show up in the scan report in quay.io (and 
I guess in many other scanning tool which rely on distribution security 
bug trackers)

Reply to:

Prev by Date: External check
Next by Date: External check
Previous by thread: Bug#993685: security-tracker: Transition dependencies from cve.mitre.org to cve.org
Next by thread: Bug#994897: security-tracker: turning text URL to link includes extraneous character
Index(es):
- Date
- Thread