Hi,
I've prepared some docker image based on Debian 12 (bookworm, fully
updated) and after upload it to local registry it has been automatically
scanned for possible vulnerabilities.
Then I was really surprised when discovered that according to this scan
there are 139 security vulnerabilities and 2 of them are CRITICAL (!).
I've started to dig further to find out what's going on there.
First critical on the list is "zlib1g" binary Debian package which is a
part of (a result) of wider package "zlib":
https://tracker.debian.org/pkg/zlib
According to this information (link below), this package is still
vulnerable in bookworm and marked as "(no-DSA, ignored)":
https://security-tracker.debian.org/tracker/source-package/zlib
But according to this (link below), that may be the case "if its
severity is minor":
https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory
But it seams this is CRITICAL issue (with score 9.8 in one of its three
parts):
https://www.cvedetails.com/cve/CVE-2023-45853/
Why it is not fixed in bookworm? Or maybe where I misunderstand
something from these information above?
Similar problem in second critical on the list: package "libaom3" which
is a binary package from "aom":
https://tracker.debian.org/pkg/aom
https://security-tracker.debian.org/tracker/source-package/aom
https://www.cvedetails.com/cve/CVE-2023-6879/
Please help me to understand :-)
Best regards,
Rafal
