[Security] Update Gosu binaries to use the latest Golang versions

Question

[Security] Update Gosu binaries to use the latest Golang versions

jotamartos opened this issue 3 years ago · 3 comments

The Golang team released new versions of the Go packages including security fixes (CVE-2021-33196 and CVE-2021-39293). You can get more information from here:

https://groups.google.com/g/golang-announce/c/dx9d7IOseHw

Could you please update the gosu binaries to use this new version of Go?

Thanks

Answer 1 · 2021-11-04T15:04:29.000Z

I don't really think it's worthwhile to rebuild just for rebuilding's sake; do we have any reason to believe gosu is using any of the vulnerable code?

Answer 2 · 2021-11-11T16:44:39.000Z

I didn't find any reference to the archive/zip package in the code but I wanted to confirm with you as the binary was built using an outdated version of Go. If you can confirm this security issue doesn't affect gosu, there is no need to rebuild it.

Answer 3 · 2021-11-11T22:02:28.000Z

Yep, I can confirm that I don't see any way this vulnerability could be exposed in any of the codepaths gosu invokes. 👍