Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to gosu 1.17 #1038

Merged
merged 1 commit into from
Mar 26, 2024
Merged

Conversation

zhangguanzhang
Copy link
Contributor

@zhangguanzhang zhangguanzhang commented Mar 26, 2024

Update to gosu 1.17
https://github.com/tianon/gosu/releases/tag/1.17
Fixes cve

usr/local/bin/gosu (gobinary)

Total: 5 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 2, CRITICAL: 0)

┌────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2023-27561 │ HIGH     │ fixed  │ v1.1.0            │ 1.1.5         │ runc: volume mount race condition (regression of       │
│                                │                │          │        │                   │               │ CVE-2019-19921)                                        │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-27561             │
│                                ├────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────────┤
│                                │ CVE-2024-21626 │          │        │                   │ 1.1.12        │ runc: file descriptor leak                             │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-21626             │
│                                ├────────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────────────────┤
│                                │ CVE-2022-29162 │ MEDIUM   │        │                   │ 1.1.2         │ runc: incorrect handling of inheritable capabilities   │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-29162             │
│                                ├────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────────┤
│                                │ CVE-2023-28642 │          │        │                   │ 1.1.5         │ runc: AppArmor can be bypassed when `/proc` inside the │
│                                │                │          │        │                   │               │ container is symlinked...                              │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-28642             │
│                                ├────────────────┼──────────┤        │                   │               ├────────────────────────────────────────────────────────┤
│                                │ CVE-2023-25809 │ LOW      │        │                   │               │ runc: Rootless runc makes `/sys/fs/cgroup` writable    │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-25809             │
└────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

@zhangguanzhang zhangguanzhang changed the title Update go gosu 1.17 Update to gosu 1.17 Mar 26, 2024
Signed-off-by: zhangguanzhang <[email protected]>
@tianon
Copy link
Member

tianon commented Mar 26, 2024

To be extremely and explicitly clear, those CVEs are false positives in gosu and should 100% be reported to your scanning tool vendor (as described in https://github.com/tianon/gosu/blob/master/SECURITY.md).

I agree that we should update gosu to 1.17, but I very strongly disagree that these CVE fixes are a solid justification for doing so.

@tianon tianon merged commit db3fdfb into docker-library:master Mar 26, 2024
5 checks passed
docker-library-bot added a commit to docker-library-bot/official-images that referenced this pull request Mar 26, 2024
Changes:

- docker-library/mysql@db3fdfb: Merge pull request docker-library/mysql#1038 from zhangguanzhang/update-gosu
- docker-library/mysql@831e587: Update to gosu 1.17
@zhangguanzhang zhangguanzhang deleted the update-gosu branch March 27, 2024 02:38
martin-g pushed a commit to martin-g/docker-official-images that referenced this pull request Apr 3, 2024
Changes:

- docker-library/mysql@db3fdfb: Merge pull request docker-library/mysql#1038 from zhangguanzhang/update-gosu
- docker-library/mysql@831e587: Update to gosu 1.17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants