Docker.io version inconsistencies

Bug #1878942 reported by Chema on 2020-05-15
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu CVE Tracker
Undecided
Unassigned

Bug Description

Hi team,

In the Bionic feed available at https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.bionic.cve.oval.xml.bz2 I have found that the version of the package docker.io is represented in different formats. Here I paste some CVEs with the comment extracted from its corresponding criteria:

CVE-2019-1020014
  comment="docker.io package in bionic was vulnerable but has been fixed (note: '18.09.7-0ubuntu1~18.04.4')."

CVE-2014-8178
  comment="docker.io package in bionic, is related to the CVE in some way and has been fixed (note: '1.13.1-0ubuntu4')."

CVE-2019-13139
  comment="docker.io package in bionic, is related to the CVE in some way and has been fixed (note: '18.09.7')."

However, it seems the packages provided by the official repositories always contains the full version (including ~18.04.X).

Is it a known bug or could you provide me some guidance to understand why there is this heterogeneity in the feed?

Best regards,
Chema.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers