Binary scan of Corretto 11.0.20.9.1 shows clean, but libjpeg constituent shows vuln

Question

Binary scan of Corretto 11.0.20.9.1 shows clean, but libjpeg constituent shows vuln

jeremysshaw opened this issue a year ago · 1 comments

I regard this as not quite a vulnerability report, because all the information is publicly available. Hence posting here.

A BlackDuck Binary Analysis scan of Corretto 11.0.20.9.1 shows no vulnerabilities at the top level. However, the package is shown to contain a vulnerable version of libjpeg, version 6b. The latest version of libjpeg is 9e.

Is this a real issue in Corretto, or a false positive in Black Duck Binary Analysis (BDBA)?

BDBA detects libjpeg 6b in the following files:
amazon-corretto-11.0.20.9.1-linux-x64.tar.gz
amazon-corretto-11.0.20.9.1-linux-x64/lib/libjavajpeg.so
Also
amazon-corretto-11.0.20.9.1-linux-x64.tar.gz
amazon-corretto-11.0.20.9.1-linux-x64/lib/libsplashscreen.so

Thanks for any help,

jeremy.

Answer 1 · 2023-08-28T17:14:55.000Z

Thanks for the notification, but please report the vulnerability via AWS Security according to the policy.