Ubuntu CVE Tracker

Docker.io version inconsistencies

Bug #1878942 reported by Chema
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu CVE Tracker
New
Undecided
Unassigned

Bug Description

Hi team,

In the Bionic feed available at https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.bionic.cve.oval.xml.bz2 I have found that the version of the package docker.io is represented in different formats. Here I paste some CVEs with the comment extracted from its corresponding criteria:

CVE-2019-1020014
  comment="docker.io package in bionic was vulnerable but has been fixed (note: '18.09.7-0ubuntu1~18.04.4')."

CVE-2014-8178
  comment="docker.io package in bionic, is related to the CVE in some way and has been fixed (note: '1.13.1-0ubuntu4')."

CVE-2019-13139
  comment="docker.io package in bionic, is related to the CVE in some way and has been fixed (note: '18.09.7')."

However, it seems the packages provided by the official repositories always contains the full version (including ~18.04.X).

Is it a known bug or could you provide me some guidance to understand why there is this heterogeneity in the feed?

Best regards,
Chema.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.