Debian 12 security issue - please help to understand

[Rafał Lichwała <rafal@siliconet.pl>]

Hi,

I've prepared some docker image based on Debian 12 (bookworm, fully 
updated) and after upload it to local registry it has been automatically 
scanned for possible vulnerabilities.
Then I was really surprised when discovered that according to this scan 
there are 139 security vulnerabilities and 2 of them are CRITICAL (!).
I've started to dig further to find out what's going on there.

First critical on the list is "zlib1g" binary Debian package which is a 
part of (a result) of wider package "zlib":

https://tracker.debian.org/pkg/zlib

According to this information (link below), this package is still 
vulnerable in bookworm and marked as "(no-DSA, ignored)":

https://security-tracker.debian.org/tracker/source-package/zlib

But according to this (link below), that may be the case "if its 
severity is minor":

https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory

But it seams this is CRITICAL issue (with score 9.8 in one of its three 
parts):

https://www.cvedetails.com/cve/CVE-2023-45853/

Why it is not fixed in bookworm? Or maybe where I misunderstand 
something from these information above?

Similar problem in second critical on the list: package "libaom3" which 
is a binary package from "aom":

https://tracker.debian.org/pkg/aom

https://security-tracker.debian.org/tracker/source-package/aom

https://www.cvedetails.com/cve/CVE-2023-6879/

Please help me to understand :-)

Best regards,
Rafal