With FedRAMP, timelines for remediation are very stringent (<30 days for crits/highs).
We often run into issues with Debian containers where critical/high Debian CVEs are taking sometimes well over a month to get through the testing/deployment process. The following vuln has a patch available but we have seen no activity on the tracking site since 9/28. Is there any process we can follow to help accelerate the patching and releases? What is the expected timeline? We are in the middle of FedRAMP audit where you get tested on vuln management and this could cause us to fail since the vuln is in a sensitive component, was published 9/15, fix was available 9/24 and yet it is 10/24 and there has been no further activity. https://tracker.debian.org/pkg/expat Happy to help by joining the community if that will help get this accomplished. Ted Harwood Principal Security Architect, Federal Moveworks 408.614.0139
