Upgrade runc to latest.
coltonfreeman26 opened this issue · 7 comments
Good day all,
I am wondering if there are any plans to update the version of runc you use?
Currently you are on 1.1.0 and runc 1.1.2 was released a couple of weeks ago.
Thank you.
Usage: gosu user-spec command [args]
eg: gosu tianon bash
gosu nobody:root bash -c 'whoami && id'
gosu 1000:1 id
gosu version: 1.14 (go1.16.7 on linux/amd64; gc)
gosu license: Apache-2.0 (full text at https://github.com/tianon/gosu)
I just read that gosu 1.14 uses runc 1.0.1
Yeah, I'll update the go.mod
to point to the newer version, but I will warn that I don't plan to make a new release that contains that change as there are no functional changes to the bits of runc
that gosu
actually invokes which make a new release worth doing.
Thank you for getting back so quickly. I have looked there and this is CVE-motivated.
GHSA-f3fp-gc8g-vw66
Please let me know if there is any other information you need.
@tianon I would also love to have a new gosu release with runc v1.1.2.
Our security scanner is listing these CVEs because it has no context or information like this: #104
Making exceptions seems unnecessary.
If you really don't intend to release a new version, am I allowed to build my own version?
gosu is Apache License Version 2.0
I try to keep the main development branch up-to-date with newer package versions, but I have no plans to make a new release of
gosu
unless there is a compelling reason to do so (changes to/CVEs in the actual codepathsgosu
invokes, changes togosu
itself, etc).
(You really should report anything like this to your security scanner vendor -- they're 100% false-positives.)
If you really don't intend to release a new version, am I allowed to build my own version?
You are free to make your own builds of gosu
, yes (distributions like Debian already do this, even with different versions of the dependencies than I do). If you are doing more than just rebuilding the upstream project as-is, I only request that you call your project/binaries something other than gosu
. ❤️