[BUG]: ALSA-2023:5259 record is missing that it fixes CVE-2023-5157

[willmurphyscode]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

In working to add AlmaLinux support to Grype I noticed that https://errata.almalinux.org/8/ALSA-2023-5259.html doesn't list https://access.redhat.com/security/cve/cve-2023-5157 as one of the CVEs it fixes, but https://access.redhat.com/errata/RHSA-2023:5259 does.

I think this is just a small data gap that results in that CVE having a false positive match in our scanner, since we can't find a fix version.

Happy to help in any way I can.

Thanks!

Expected Behavior

https://errata.almalinux.org/8/ALSA-2023-5259.html should have the same related CVEs as https://access.redhat.com/errata/RHSA-2023:5259

Steps To Reproduce

1. With any reasonable version of any reasonable browser, visit https://errata.almalinux.org/8/ALSA-2023-5259.html or https://osv.dev/vulnerability/ALSA-2023:5259
2. Visit https://access.redhat.com/errata/RHSA-2023:5259
3. Notice that https://access.redhat.com/security/cve/cve-2023-5157 is on the fixed list from step 2 but not from step 1.

Anything else?

Discussed on security chat at https://chat.almalinux.org/almalinux/pl/g5p18nai7789tychyj6sq9y1ee

Search terms

advisory, data

[javihernandez]

Hey @willmurphyscode, thanks for the report!

As I said in mattermost, yes, this CVE is missing from the advisory and needs to be manually added. We'll take care of it ASAP.