CVE-2023-24329

[jonathannaguin]

• [x ] I have read the SECURITY.md
• [ x] I understand that this repo tracks debian package releases and cannot fix debian CVEs on its own
• [ ] this CVE shows a fix is available in the appropriate debian version (buster, bullseye) and channel (main, security) and it has been more than 48 hours.

Please describe the image you encountered this with and a link to the debian security tracker https://security-tracker.debian.org/tracker/CVE-2023-24329

The stable version for Python11 in Debian 12 is 3.11.2, although 3.11.8 is available as "unstable". I am unsure how Debian tags packages but found some old threads where seem to indicate stable will never change for that release which would leave this CVE on the Distroless images until Debian trixie comes along.

[loosebazooka]

Yeah that's kind of an unfortunate side effect of tracking debian. This seems like a minor update on the version number though, and maybe the fix will come?

[JasperJuergensen]

Apparently they backported the fix: See #1613