Debian package was reported as fixed but it is not

[beltran-rubo]

IDs

CVE-2024-0567

Description

The Debian 11 package "gnutls30" is reported as fixed when the upstream version it is not.

See https://security-tracker.debian.org/tracker/CVE-2024-0567 for bullseye the latest package available is 3.7.1-5+deb11u4
and the Trivy report shows the version 3.7.1-5+deb11u5 is available when it is not.

│ libgnutls30 │ CVE-2024-0567 │ HIGH │ fixed │ 3.7.1-5+deb11u3 │ 3.7.1-5+deb11u5

Would be possible Trivy is detecting the source package version that is available and not the binary package into the repository?

Reproduction Steps

1. Execute Trivy image with 'bitnami/apache:2.4.58-debian-11-r25'
2. Check this line in the report

`│ libgnutls30        │ CVE-2024-0567       │ HIGH     │ fixed        │ 3.7.1-5+deb11u4         │ 3.7.1-5+deb11u5`

4. See the package is not available for Debian 11 at https://security-tracker.debian.org/tracker/CVE-2024-0567

Target

Container Image

Scanner

Vulnerability

Target OS

No response

Debug Output

│ libgnutls30        │ CVE-2024-0567       │ HIGH     │ fixed        │ 3.7.1-5+deb11u4         │ 3.7.1-5+deb11u5 │ gnutls: rejects certificate chain with distributed trust     │

Version

Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-15 12:11:02.623105003 +0000 UTC
  NextUpdate: 2024-02-15 18:11:02.623104632 +0000 UTC
  DownloadedAt: 2024-02-15 16:00:25.856761 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @beltran-rubo
Thanks for your report!

We are already working on this matter - aquasecurity/trivy-db#381.

Regards, Dmitriy

[Zircon99]

Hi, I posted this in the subthread - but posting here in case you managed to solve this @beltran-rubo

Any chance you can assist?

Hi there. I am new to this - could you kindly assist with the issue I am having?

On 7 February 2024, we ran our pipeline, with docker installing this version via apt-get - "libgnutls30=3.7.1-5+deb11u3". It worked fine.

On 15 February 2024 we ran same pipeline with same settings, and it failed with exit code 100. I presume now, that this means that the version tag "3.7.1-5+deb11u3" does not exist anymore - is that correct?

I consequently used this thread to determine what would be the correct version tag to use: https://avd.aquasec.com/nvd/2024/cve-2024-0567/

I tried "libgnutls30=3.7.1-5+deb11u4" - it does appear to install this version, however Trivy flags a vulnerability.

I then tried "libgnutls30=3.7.1-5+deb11u5" - exit code 100 - it does not appear that this version currently exists? In this context I am somewhat new to this - could you kindly explain if/when this will be ready for us, and will effectively address the above vulnerability?

Finally, I do see mention made of libgnutls28 instead of 30 in various threads and instances. Is it correct for me to use "libgnutls30=3.7.1-5+deb11u5" or "libgnutls28=3.7.1-5+deb11u5" - note the difference 28/30?

Thank you

[DmitriyLewen]

Hello @Zircon99
I am not sure that i understand you correctly.
Can you submit a report with an error?