Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to gosu 1.17 #1038

Merged
merged 1 commit into from
Mar 26, 2024
Merged

Update to gosu 1.17 #1038

merged 1 commit into from
Mar 26, 2024

Conversation

zhangguanzhang
Copy link
Contributor

@zhangguanzhang zhangguanzhang commented Mar 26, 2024
edited
Loading

Update to gosu 1.17
https://github.com/tianon/gosu/releases/tag/1.17
Fixes cve

usr/local/bin/gosu (gobinary)

Total: 5 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 2, CRITICAL: 0)

┌────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2023-27561 │ HIGH     │ fixed  │ v1.1.0            │ 1.1.5         │ runc: volume mount race condition (regression of       │
│                                │                │          │        │                   │               │ CVE-2019-19921)                                        │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-27561             │
│                                ├────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────────┤
│                                │ CVE-2024-21626 │          │        │                   │ 1.1.12        │ runc: file descriptor leak                             │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-21626             │
│                                ├────────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────────────────┤
│                                │ CVE-2022-29162 │ MEDIUM   │        │                   │ 1.1.2         │ runc: incorrect handling of inheritable capabilities   │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-29162             │
│                                ├────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────────┤
│                                │ CVE-2023-28642 │          │        │                   │ 1.1.5         │ runc: AppArmor can be bypassed when `/proc` inside the │
│                                │                │          │        │                   │               │ container is symlinked...                              │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-28642             │
│                                ├────────────────┼──────────┤        │                   │               ├────────────────────────────────────────────────────────┤
│                                │ CVE-2023-25809 │ LOW      │        │                   │               │ runc: Rootless runc makes `/sys/fs/cgroup` writable    │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-25809             │
└────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

@zhangguanzhang zhangguanzhang changed the title Update go gosu 1.17 Update to gosu 1.17 Mar 26, 2024
@zhangguanzhang
Update to gosu 1.17
831e587 
Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
@tianon
Copy link
Member

tianon commented Mar 26, 2024
edited
Loading

To be extremely and explicitly clear, those CVEs are false positives in gosu and should 100% be reported to your scanning tool vendor (as described in https://github.com/tianon/gosu/blob/master/SECURITY.md).

I agree that we should update gosu to 1.17, but I very strongly disagree that these CVE fixes are a solid justification for doing so.

@tianon tianon merged commit db3fdfb into docker-library:master Mar 26, 2024
5 checks passed
docker-library-bot added a commit to docker-library-bot/official-images that referenced this pull request Mar 26, 2024
@docker-library-bot
Update mysql
f61be7c 
Changes:

- docker-library/mysql@db3fdfb: Merge pull request docker-library/mysql#1038 from zhangguanzhang/update-gosu
- docker-library/mysql@831e587: Update to gosu 1.17
@zhangguanzhang zhangguanzhang deleted the update-gosu branch March 27, 2024 02:38
@yosifkit yosifkit mentioned this pull request Mar 27, 2024
Merged
martin-g pushed a commit to martin-g/docker-official-images that referenced this pull request Apr 3, 2024
@docker-library-bot @martin-g
Update mysql
643ba39 
Changes:

- docker-library/mysql@db3fdfb: Merge pull request docker-library/mysql#1038 from zhangguanzhang/update-gosu
- docker-library/mysql@831e587: Update to gosu 1.17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zhangguanzhang @tianon