Rafał Lichwała wrote: > Hi, > > I've prepared some docker image based on Debian 12 (bookworm, fully updated) > and after upload it to local registry it has been automatically scanned for > possible vulnerabilities. > Then I was really surprised when discovered that according to this scan > there are 139 security vulnerabilities and 2 of them are CRITICAL (!). > I've started to dig further to find out what's going on there. > > First critical on the list is "zlib1g" binary Debian package which is a part > of (a result) of wider package "zlib": > > https://tracker.debian.org/pkg/zlib
The notes say: [bookworm] - zlib <ignored> (contrib/minizip not built and src:zlib not producing binary packages) In other words, there's no point in fixing it because Debian doesn't build the vulnerable binary component. Very low priority. > But it seams this is CRITICAL issue (with score 9.8 in one of its three > parts): > > https://www.cvedetails.com/cve/CVE-2023-45853/ CVSS are often bogus. > Similar problem in second critical on the list: package "libaom3" which is a > binary package from "aom": > > https://security-tracker.debian.org/tracker/source-package/aom It could crash on invalid input. That's minor. It could crash on invalid input. Also minor. It could potentially be used to execute code in the privilege of the user running the software, which is bad, but it appears to only exist in Android, so Debian thinks it is not interesting. -dsr-
