I would like to refer to my started discussion in below link on github.
I would like to focus on vulnerability CVE-2019-9948.
Trivy scanner during scan process retrieves data from Rocky Errata Database, relies on this database. Since keyword CVE-2019-9948 refers to Rocky Enterprise Software Foundation Product Errata, Trivy does not treat my eon-of-life python 3.6 platform as vulnerable with examples vulnerabilities included in github’s discussion. However, according to nvd nist go details about CVE-2019-9948, python 3.6.8 platform libraries are also vulnerable to be used for a bad purpose.
The above Rocky Errata involves only python 2 version but it doesn’t mean that python 3.6.8 is safe without any security patches that neither me nor Trivy scanner couldn’t find in Rocky Erratas Database, right? Could you explain why the Errata patches was released only for python 2 version with connected libraries to it and skip python 3 platform?
I know that I need to update python platform due to EOL status but I have been analysing Trivy behavior for a while and I am willing to get to know some details about Erratas.
The same case about RLSA-2023:6746 for Rocky Linux 9, will be a security patch released for Rocky Linux 8 or library nghttp2 is safe without any security patches for Rocky Linux 8?