Package name error in alpine-secdb
https://git.alpinelinux.org/cgit/alpine-secdb/tree/v3.7/main.yaml\#n397 says there are two CVEs open on package libressl prior to 2.6.5-r0 in Alpine 3.7 (and certainly earlier, I haven’t checked). However, Alpine 3.7 does not have a package named exactly libressl; it has two packages, named libressl2.6-libcrypto and libressl2.6-libssl. The version of those packages in the instances I see is 2.6.3-r0, thus concerned by the CVE.
This difference in naming means that the Clair security scanner does not detect that there is a concern on these images and that they should be updated.
(from redmine: issue id 9067, created on 2018-07-09, closed on 2018-07-13)