Using the latest official ubuntu:noble (or ubuntu:24.10 and probably others) images from dockerhub and installing gosu via `apt update && apt install gosu`.
If I create such an image, docker scout reports a few critical and high vulnerabilities.
----
docker run ubuntu:noble -it /bin/bash
# inside the container
apt update && apt install gosu
gosu --version
1.17 (go1.21.3 on linux/arm64; gc)
# create a new image with installed gosu
docker commit <container_id> ubuntu-noble-security
docker scout cves --locations --only-severity "critical,high" ubuntu-noble-security
...
✗ Detected 1 vulnerable package with 3 vulnerabilities
## Packages and Vulnerabilities
Previously reported here: https:/ /github. com/docker- library/ cassandra/ issues/ 276#issuecommen t-2222627720
Using the latest official ubuntu:noble (or ubuntu:24.10 and probably others) images from dockerhub and installing gosu via `apt update && apt install gosu`.
If I create such an image, docker scout reports a few critical and high vulnerabilities.
----
docker run ubuntu:noble -it /bin/bash
# inside the container
apt update && apt install gosu
gosu --version
1.17 (go1.21.3 on linux/arm64; gc)
# create a new image with installed gosu noble-security noble-security
docker commit <container_id> ubuntu-
docker scout cves --locations --only-severity "critical,high" ubuntu-
...
✗ Detected 1 vulnerable package with 3 vulnerabilities
## Packages and Vulnerabilities
1C 2H 0M 0L stdlib 1.21.3 stdlib@ 1.21.3
pkg:golang/
6: sha256: 72d0bb40b06f68e 2b1dbbd238d3aa6 696de4df6793602 d68417c2bac696c 10ca
/usr/sbin/gosu (evident by)
✗ CRITICAL CVE-2024-24790 /scout. docker. com/v/CVE- 2024-24790
https:/
Affected range : <1.21.11
Fixed version : 1.21.11
✗ HIGH CVE-2024-24791 /scout. docker. com/v/CVE- 2024-24791
https:/
Affected range : <1.21.12
Fixed version : 1.21.12
✗ HIGH CVE-2023-45283 /scout. docker. com/v/CVE- 2023-45283
: <1.21.4
https:/
Affected range : >=1.21.0-0
Fixed version : 1.21.4