Critical CVE in Fluentd Image

[AdeepKrishnaKeelar]

There has been a persistent critical CVE in the fluentd-kubernetes and after checking the latest image (fluent/fluentd:v1.16.2-debian-1.0) and running a trivy scan (trivy image --security-checks vuln fluent/fluentd:v1.16.2-debian-1.0), I have noticed that the critical issue has not been resolved. The logs are as followed --

fluent/fluentd:v1.16.2-debian-1.0 (debian 11.7)
===============================================
Total: 1 (CRITICAL: 1)

┌──────────┬───────────────┬──────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability │ Severity │  Status  │ Installed Version │ Fixed Version │                         Title                          │
├──────────┼───────────────┼──────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libdb5.3 │ CVE-2019-8457 │ CRITICAL │ affected │ 5.3.28+dfsg1-0.8  │               │ sqlite: heap out-of-bound read in function rtreenode() │
│          │               │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457              │
└──────────┴───────────────┴──────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

Is there any chance of getting this issue addressed in the build of the image in the upcoming updates or any help on this matter would be highly appreciated!

[ashie]

It's treated as minor issue in Debian, so it's considered as false positive:

https://security-tracker.debian.org/tracker/CVE-2019-8457

[bullseye] - db5.3 <no-dsa> (Minor issue)

Affected function is not used in Debian and meant for debugging purposes,
backporting the fix would be very complex.