CVE-2023-52425

[jonathannaguin]

• [x] I have read the SECURITY.md
• [x] I understand that this repo tracks debian package releases and cannot fix debian CVEs on its own
• [x] this CVE shows a fix is available in the appropriate debian version (buster, bullseye) and channel (main, security) and it has been more than 48 hours.

Please describe the image you encountered this with and a link to the debian security tracker https://security-tracker.debian.org/tracker/CVE-2023-52425

Images affected:

• gcr.io/distroless/java21-debian12:nonroot (sha256:b0c286a6ccb085223b9bca86677c999e8b17adea29c969743c9ea970a373f4dc )

• gcr.io/distroless/java17-debian12:nonroot (sha256:1083557050d06156736184777ebafbe403bea3e511356f3662d8351550b57c11 )

Current version is on 2.5.0, fix available on 2.6.0.

[loosebazooka]

There is no fix available. Box 3 should not have been checked. We cannot fix this until debian releases a fix.

[dlorenc]

FYI - we have this fixed in the chainguard images, our expat is at 2.6.0: https://github.com/wolfi-dev/os/blob/main/expat.yaml

Feel free to try:

% grype cgr.dev/chainguard/jdk
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                                                 cgr.dev/chainguard/jdk:latest
 ✔ Parsed image                                       sha256:dd715d4d9fbef5fe194eb7af70644af7655a5ea6ba54866a181c5c758e1f9345
 ✔ Cataloged packages              [68 packages]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored
No vulnerabilities found