vulnerabilities in Debian os version and bash version issue

[ragaspce]

Hi Team,
Greeting of the day.
I am using tomcat:9.0.46-jdk11 which has Debian GNU/Linux 10 (buster) and bash version 5.0-4. we found that there is a high-level vulnerability (CVE-2019-18276) with the bash version which is fixed in 5.0-5. please point me to a docker image which JKD 11 and tomcat 9 where the bash vulnerability is fixed.
Thanks in advance. :)

[wglambert]

https://security-tracker.debian.org/tracker/CVE-2019-18276
Buster is still vulnerable, Also the Debian security team notes it is a "negligible security impact" and the urgency is "unimportant"

Any listed tag with bullseye will be fixed for this cve https://github.com/docker-library/docs/blob/master/tomcat/README.md#supported-tags-and-respective-dockerfile-links

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).