In glvd, for glibc we currently have the following situation:

It looks like all Garden Linux versions are not vulnerable to glibc cves, but the problem is that the 'fixed' version provided in the debian security tracker is useless for us.

Example cve:

Info in Debian security tracker: https://security-tracker.debian.org/tracker/CVE-2024-33601

In the 'list' file from the tracker git repo, this is the information we have for this cve:

Interestingly, the json provided by Debian security tracker does provide more information:

Still, this does not provide the information for all minor versions, and specifically 2.39 is missing.

Information in glvd:

All 1592 versions of Garden Linux have glibc version 2.39, the debian security tracker marks 2.37-19 as 'resolved'. The part after the dash indicates a debian patch level.

The question we can't answer: Does 2.39-6 include the patches from 2.37-19?

What we need: Find out which patch for the right minor version (2.39 in our case) includes the fix. Comparing the version numerically is wrong because 2.39 is larger than 2.37, but this does not tell us anything about a specific vulnerability, and also obviously comparing the patch levels between different minor versions is not useful.