Im using grype in order to see what CVEs are a match for libkrb5-3@1.20.1-2+deb12u2 (purl: ''pkg:deb/debian/libkrb5-3@1.20.1-2%2Bdeb12u2?arch=amd64&upstream=krb5&distro=debian")
And im getting CVE-2024-37371 as a match.
According to debian security tracker this version should have this CVE fixed.
Am I missing something?
SBOM I used:
{
"$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"metadata": {
"timestamp": "2025-03-30T13:21:30.733Z",
"tools": [
{
"vendor": "anchore",
"name": "syft"
}
],
"component": {
"type": "library",
"name": "libkrb5-3:1.20.1-2+deb12u2",
"bom-ref": "BomRef.mra4425cguo.0jrk04bhd1"
}
},
"components": [
{
"type": "library",
"name": "libkrb5-3",
"version": "1.20.1-2+deb12u2",
"bom-ref": "BomRef.s99gd870nd8.ogo8kh99fso",
"purl": "pkg:deb/debian/libkrb5-3@1.20.1-2%2Bdeb12u2?arch=amd64&distro=debian&upstream=krb5",
"properties": [
{
"name": "syft:package:metadataType",
"value": "dpkg-db-entry"
},
{
"name": "syft:metadata:source",
"value": "krb5"
},
{
"name": "syft:metadata:metadataType",
"value": "dpkg-db-entry"
},
{
"name": "syft:metadata:installedSize",
"value": "1163"
}
]
}
],
"dependencies": [
{
"ref": "BomRef.mra4425cguo.0jrk04bhd1"
},
{
"ref": "BomRef.s99gd870nd8.ogo8kh99fso"
}
]
}
Thanks a lot!