out of date packages on debian:buster-slim image

[ed4wg]

I ran my image which is based on buster-slim through a vuln scanner and it was complaining about finding vulns for glibc that were fixed in 2.28-10+deb10u2.

In further digging it looks like the buster-slim image does not have the latest version of that package. If i pull down debian:buster-slim and run apt update && apt list --upgradable i get:

libc-bin/oldstable 2.28-10+deb10u2 amd64 [upgradable from: 2.28-10+deb10u1]
libc6/oldstable 2.28-10+deb10u2 amd64 [upgradable from: 2.28-10+deb10u1]

If i do the same with debian:buster, it is already on the latest available version.

[tianon]

We just published updated images yesterday, so I think we're probably not including any packages with fixable vulnerabilities?

$ docker run -it --rm --pull=always debian:buster-slim
buster-slim: Pulling from library/debian
Digest: sha256:702bc27ef4be73f9c1d73c1a2bc58987c59b6fc8e8e04f46c166849817ce95dc
Status: Image is up to date for debian:buster-slim
root@f2d926ca881d:/# apt-get update
Get:1 http://deb.debian.org/debian buster InRelease [122 kB]
Get:2 http://deb.debian.org/debian-security buster/updates InRelease [34.8 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [56.6 kB]
Get:4 http://deb.debian.org/debian buster/main amd64 Packages [7909 kB]
Get:5 http://deb.debian.org/debian-security buster/updates/main amd64 Packages [380 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [8788 B]
Fetched 8511 kB in 2s (5326 kB/s)                         
Reading package lists... Done
root@f2d926ca881d:/# apt-get upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

[ed4wg]

Just confirmed the same here. Should have looked a day later :) Thanks!