Hi John, On Fri, May 17, 2024 at 04:01:56PM -0400, John Waffle wrote: > This report came from a free tool, trivy, I filed a Github discussion about > it here: https://github.com/aquasecurity/trivy/discussions/6722
Thanks a lot for bringing that upstream. So to add some additional datapoint: The issue araises here by maybe thinking zlib refers to the binary package produced. It is correct, for the binary package zlib then indeed you would not be vulnerable. Let me as well elaborate on the "ingored". This comes as the binary packages built from the *vulnerable* source, there is no point to force an update in bookworm and older. I hope this all get a better picture now on the CVE. If you still have questions feel free to ask. Regards, Salvatore
