Ubuntu
gosu package

  1. Bug #2072883
  2. Activity log

Activity log for bug #2072883

Date Who What changed Old value New value Message
2024-07-12 04:27:26 Juraj Martinka bug added bug
2024-07-12 13:37:00 John Chittum information type Private Security Public
2024-07-12 13:47:52 John Chittum bug task added gosu (Ubuntu)
2024-07-12 13:47:58 John Chittum cloud-images: status New Invalid
2024-07-12 13:51:14 John Chittum cve linked 2024-24790
2024-07-15 16:51:49 Mark Esler cve linked 2024-24791
2024-07-15 16:51:59 Mark Esler cve linked 2023-45283
2024-07-23 13:53:44 Juraj Martinka description Previously reported here: https://github.com/docker-library/cassandra/issues/276#issuecomment-2222627720 Using the latest official ubuntu:noble (or ubuntu:24.10 and probably others) images from dockerhub and installing gosu via `apt update && apt install gosu`. If I create such an image, docker scout reports a few critical and high vulnerabilities. ---- docker run ubuntu:noble -it /bin/bash # inside the container apt update && apt install gosu gosu --version 1.17 (go1.21.3 on linux/arm64; gc) # create a new image with installed gosu docker commit <container_id> ubuntu-noble-security docker scout cves --locations --only-severity "critical,high" ubuntu-noble-security ... ✗ Detected 1 vulnerable package with 3 vulnerabilities ## Packages and Vulnerabilities 1C 2H 0M 0L stdlib 1.21.3 pkg:golang/stdlib@1.21.3 6: sha256:72d0bb40b06f68e2b1dbbd238d3aa6696de4df6793602d68417c2bac696c10ca /usr/sbin/gosu (evident by) ✗ CRITICAL CVE-2024-24790 https://scout.docker.com/v/CVE-2024-24790 Affected range : <1.21.11 Fixed version : 1.21.11 ✗ HIGH CVE-2024-24791 https://scout.docker.com/v/CVE-2024-24791 Affected range : <1.21.12 Fixed version : 1.21.12 ✗ HIGH CVE-2023-45283 https://scout.docker.com/v/CVE-2023-45283 Affected range : >=1.21.0-0 : <1.21.4 Fixed version : 1.21.4 Previously reported here: https://github.com/docker-library/cassandra/issues/276#issuecomment-2222627720 Using the latest official ubuntu:noble (or ubuntu:24.10 and probably others) images from dockerhub and installing gosu via `apt update && apt install gosu`. If I create such an image, docker scout reports a few critical and high vulnerabilities. ---- docker run -it ubuntu:noble /bin/bash # inside the container apt update && apt install gosu gosu --version 1.17 (go1.21.3 on linux/arm64; gc) # create a new image with installed gosu docker commit <container_id> ubuntu-noble-security docker scout cves --locations --only-severity "critical,high" ubuntu-noble-security ...     ✗ Detected 1 vulnerable package with 3 vulnerabilities ## Packages and Vulnerabilities    1C 2H 0M 0L stdlib 1.21.3 pkg:golang/stdlib@1.21.3 6: sha256:72d0bb40b06f68e2b1dbbd238d3aa6696de4df6793602d68417c2bac696c10ca /usr/sbin/gosu (evident by)     ✗ CRITICAL CVE-2024-24790       https://scout.docker.com/v/CVE-2024-24790       Affected range : <1.21.11       Fixed version : 1.21.11     ✗ HIGH CVE-2024-24791       https://scout.docker.com/v/CVE-2024-24791       Affected range : <1.21.12       Fixed version : 1.21.12     ✗ HIGH CVE-2023-45283       https://scout.docker.com/v/CVE-2023-45283       Affected range : >=1.21.0-0                      : <1.21.4       Fixed version : 1.21.4