This version of gosu is bringing cves
Closed this issue · 13 comments
tianon/gosu#151
I created an issue to fix the cve errors
linked to redis/redis#13663
After reading this thread I am convinced that gosu shouldn't be used at all. As the lib hasn't had a release in more than a year and the lib owner refuses to bump the golang version anytime soon to 1.23.
tianon/gosu#136
Just for the update the owner of the lib is refusing to update his library to fix CVEs as stated in his readme.
I understand there is false positives but still maintaining libraries should be a thing.
tianon/gosu#136
@dogruis is there a plan to remove gosu? Or will these vulns remain present in the image
I am not part of the redis team and I requested something to be done. Tbh I would not use gosu as there is command line alternatives.
@oranagra @sundb @enjoy-binbin tenemos alguna novedad
Hi @frankyjquintero,
from what I see, I would categorize this as a false-positive, but we will take a deeper look. @adamiBs FYI.
@tianon Could you please confirm the following:
- You are addressing CVE-s related to
Gothat are related to interfaces that impactgosu. Because there might be security issues inGothat are irrelevant togosu, Docker Hub's CVE reporting might include false-positives. So it reports a CVE inGothat has no impact ongosuor the Docker containers that usegosuin the entrypoint script. Is this understanding correct? - The command
gosuis used to runredis-serverunder the userredisif no--userflag is specified when starting the container. This seems to be a safeguard mechanism to avoid running the process underrootwithin the container. You can still restrict it more by running the container viadocker run --user redis redis.
Regards,
David
Yes, that is correct (on both counts).
Our latest RC image contains the fix for this:
https://hub.docker.com/layers/library/redis/8.0-rc1/images/sha256-4e04eab2df86d0f888262215afdf467f2509962a7c1818ac4cac9590912dfcd5
Great but when is this release coming! it's been many many months and still no new tag? You already had a fix months ago what we are asking is a new tag containing the fixes
Not really, it's a release candidate and not a release. So I would wait for a new release instead. Thanks a lot!!!!!
We are very close to the 8.0 GA release.
Sorry, but we cannot share the exact date.
Will this fix be merged into redis 6 and redis 7?