Runc version update timeline
vsur06 opened this issue · 1 comments
vsur06 commented
Hi is there a timeline for the next updated version of gosu with runc version 1.1.5. There are two CVEs reported in runc, GHSA-g2j6-57v7-gm8c and GHSA-m8cg-xc2p-r3fc, which have been fixed with version 1.1.5.
yosifkit commented
gosu
does not use any of the vulnerable code paths from runc (you can verify by running govulncheck
). So any scanner that flags gosu
with those CVE's is a false positive; they need to be doing what govulcheck
does to verify that it is a true vulnerability.
See also https://github.com/tianon/gosu/blob/bf158f3b52664ba62de0b561a2bff706fa0e9daf/SECURITY.md#cves