[BUG]: ALSA-2023:5259 record is missing that it fixes CVE-2023-5157

Open willmurphyscode opened this issue 3 months ago • 1 comments

Is there an existing issue for this?

[x] I have searched the existing issues

Current Behavior

In working to add AlmaLinux support to Grype I noticed that https://errata.almalinux.org/8/ALSA-2023-5259.html doesn't list https://access.redhat.com/security/cve/cve-2023-5157 as one of the CVEs it fixes, but https://access.redhat.com/errata/RHSA-2023:5259 does.

I think this is just a small data gap that results in that CVE having a false positive match in our scanner, since we can't find a fix version.

Happy to help in any way I can.

Thanks!

Expected Behavior

https://errata.almalinux.org/8/ALSA-2023-5259.html should have the same related CVEs as https://access.redhat.com/errata/RHSA-2023:5259

Steps To Reproduce

With any reasonable version of any reasonable browser, visit https://errata.almalinux.org/8/ALSA-2023-5259.html or https://osv.dev/vulnerability/ALSA-2023:5259
Visit https://access.redhat.com/errata/RHSA-2023:5259
Notice that https://access.redhat.com/security/cve/cve-2023-5157 is on the fixed list from step 2 but not from step 1.

Anything else?

Discussed on security chat at https://chat.almalinux.org/almalinux/pl/g5p18nai7789tychyj6sq9y1ee

Search terms

advisory, data

Oct 28 '25 15:10 willmurphyscode