[Package Request] - Inaccurate CVE fix version for runc package

[balasurajgajula]

Problem In the Amazon Linux 2023 documentation, it's mentioned that a CVE for the runc package was resolved in version 1.1.11. However, according to the runc release notes, the fix for this CVE is included in version 1.1.12.

This is still showing as a vulnerability in some of the security scanning tools!

Additional Information

• CVE Number: CVE-2024-21626
• Amazon Linux 2023 Documentation Reference: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.3.20240131.html
• runc release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.12

[samueloph]

@balasurajgajula most CVE fixes are done by backporting the patches instead of updating the major version of a package.

These scanners are returning false-positives, you should reach out to them to ask about it.

[balasurajgajula]

Thanks for the confirmation @samueloph that it was backported! Now it makes sense. 👍