I have the vulnerability debian-cve-2020-8616 in my environment. Found on a Debian 12 running bind9 “1:9.10.3.dfsg.P4-12.3+deb9u12”.
https://kb.isc.org/docs/cve-2020-8616 tells me, that bind9 is vulnerable between 9.0.0 → 9.11.18 BUT the Debian people say it is fixed in “1:9.10.3.dfsg.P4-12.3+deb9u6”.
How should I deal with this situation? Should I report it as false positive?
The 1:9.10.3xxxx fix applies to “Stretch” which is Debian 9.
You are running on Debian 12 “Bookworm”, which has the different fix version.
This is a common area for confusion as patches get backported into different versions with corresponding OS version.
Turns out the finding was corrent!
The system had obsolete packages which where not patched by apt. Maybe caused by a dist-upgrade.
apt list ~o
apt purge ~o