cloud-init package listed as fixable, but not yet available in official repositories

Question

cloud-init package listed as fixable, but not yet available in official repositories

Opened this issue 3 years ago · 3 comments

CVEScan is reporting CVE-2021-3429 as fixable, but the suggested version (21.1-19-gbad84ad4-0ubuntu1~xx.yy.z) does not seem to be available in the official repositories, i.e. when I run apt-get update && apt-get install cloud-init I get the following:

$ apt-get update && apt-get install cloud-init

Reading package lists... Done
Building dependency tree
Reading state information... Done
cloud-init is already the newest version (20.4.1-0ubuntu1~xx.yy.z).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Launchpad shows the latest package as being in the "proposed" state:

Is it possible that CVEScan's source for package availability is misreporting actual availability?

Answer 1 · 2021-04-07T14:12:20.000Z

I am also experiencing the same issue. I am assuming it is an issue with the Ubuntu vulnerability database upstream. Maybe for situations like this would be good for cvescan to have a way to ignore a specific CVE.

Answer 2 · 2021-04-07T15:57:56.000Z

Hi, thanks for the bug report.

That is correct, the cve tracker for CVE-2021-3429 had been incorrectly annotated to mark that cloud-init had been fixed. I have corrected the state to note that the fixes are still pending. This should probably filter out into the data that the cvescan bases its reporting within a couple of hours.

Answer 3 · 2021-04-09T08:30:19.000Z

I confirm this now works for me, thank you for the quick turn around @stevebeattie