Debian’s security tracker says a CVE is fixed, while BlackDuck scanner detects it
I stumbled across a vulnerability considered a critical security risk (CVE-2023-25139) in one of container images I build.
Debian's security tracker states it's fixed: https://security-tracker.debian.org/tracker/CVE-2023-25139 - specifically, in Debian Sid with glibc 2.37-12, while BlackDuck says it's still there. I know false positives are possible, and normally I check the package's changelog when in doubt. Normally CVEs are listed there when the package is patched to fix them.
I've checked the changelog: https://metadata.ftp-master.debian.org/changelogs//main/g/glibc/glibc_2.37-12_changelog - and there's nothing there about CVE-2023-25139.
Now if it wasn't listed as fixed in their security tracker, I'd expect it's going to be fixed later, in a week or two, but it seems like Debian thinks everything's fine while BlackDuck doesn't and I don't understand what's actually going on there.
Is there anything else I should check, apart from the security tracker and the changelog? Cross-check it with other scanners (e.g. trivy doesn't detect it)? Maybe I misunderstand Debian's security patching process, had it been in the changelog, I'd have that going for my image.
