Vulnerability issues with linux-libc-dev package

[psinghmyob]

This one is using linux-libc-dev:5.10.179-1. It has 3 high vulnerabilities CVE-2023-2156 CVE-2023-31248 CVE-2023-35001

This can solved by upgrading the above library. Shall I do something about it?

[yosifkit]

• https://security-tracker.debian.org/tracker/CVE-2023-2156
• https://security-tracker.debian.org/tracker/CVE-2023-31248
• https://security-tracker.debian.org/tracker/CVE-2023-35001

I am confident in saying that none of those matter for the image. They are all kernel vulnerabilities and linux-libc-dev is just the headers package. It contains the exact same header files across the two versions; the only difference is the package metadata and changelog.

$ debdiff linux-libc-dev_5.10.179-*
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Version: [-5.10.179-1-] {+5.10.179-2+}

$ diffoscope --exclude-directory-metadata recursive linux-libc-dev_5.10.179-*
--- linux-libc-dev_5.10.179-1_amd64.deb
+++ linux-libc-dev_5.10.179-2_amd64.deb
├── control.tar.xz
│ ├── control.tar
│ │ ├── ./control
│ │ │ @@ -1,10 +1,10 @@
│ │ │  Package: linux-libc-dev
│ │ │  Source: linux
│ │ │ -Version: 5.10.179-1
│ │ │ +Version: 5.10.179-2
│ │ │  Architecture: amd64
│ │ │  Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
│ │ │  Installed-Size: 5884
│ │ │  Section: devel
│ │ │  Priority: optional
│ │ │  Multi-Arch: same
│ │ │  Homepage: https://www.kernel.org/
│ │ ├── ./md5sums
│ │ │ ├── ./md5sums
│ │ │ │┄ Files differ
├── data.tar.xz
│ ├── data.tar
│ │ ├── ./usr/share/doc/linux-libc-dev/changelog.Debian.gz
│ │ │ ├── changelog.Debian
│ │ │ │ @@ -1,7 +1,17 @@
│ │ │ │ +linux (5.10.179-2) bullseye-security; urgency=high
│ │ │ │ +
│ │ │ │ +  * ipv6: rpl: Fix Route of Death. (CVE-2023-2156)
│ │ │ │ +  * netfilter: nf_tables: do not ignore genmask when looking up chain by id
│ │ │ │ +    (CVE-2023-31248)
│ │ │ │ +  * netfilter: nf_tables: prevent OOB access in nft_byteorder_eval
│ │ │ │ +    (CVE-2023-35001)
│ │ │ │ +
│ │ │ │ + -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 14 Jul 2023 22:24:08 +0200
│ │ │ │ +
│ │ │ │  linux (5.10.179-1) bullseye-security; urgency=high
│ │ │ │  
│ │ │ │    * New upstream stable update:
│ │ │ │      https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.179
│ │ │ │      - [arm64] dts: qcom: ipq8074-hk01: enable QMP device, not the PHY node
│ │ │ │      - netfilter: br_netfilter: fix recent physdev match breakage
│ │ │ │      - [arm64,armhf] regulator: fan53555: Explicitly include bits header

---

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link