Comment 1 for bug 2072883

`gosu` is a universe package in Ubuntu, and from what i can see was inherited from `side` at version 1.17.1

https://packages.debian.org/sid/gosu

I see no open bugs against `gosu` : https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=gosu , and it needs to be confirmed that it's built against golang 1.17 in `debian`. Not my expertise

normally the correct move would be to go upstream first. Since i control things on the Ubuntu side for cloud-images, i'll move the ticket around there. I'll also make it public as it's not a new security vulnerability (private security bugs are for new disclosures, not for tracking already announced vulnerabilities).

Public Ubuntu tracking of the golang vulnerability:

https://ubuntu.com/security/CVE-2024-24790

Note, since this is reported against Noble, i _believe_ this is an incorrect match. I'm working on double checking, but in noble, the golangs have been patched (both 1.21 and 1.22) It's likely a bad version string match. but i've listed this against `gosu` for someone to double check my assertions. `gosu` in noble is building against `golang-go=1.22`

http://archive.ubuntu.com/ubuntu/pool/universe/g/gosu/gosu_1.17-1.dsc