Closed JVimes closed 1 year ago
Almost all of those are from very old Go versions. It's not relevant.
Thank you, does that mean caddy:latest is using an old Go version for ARMv7?
No, we always use the latest Go version.
Great. Just to clarify, this makes Caddy look worse to potential new users:
It should make it look better, as these are discovered and patched vulnerabilities. Who knows how many more memory vulns lurk in the dark of NGINX and HAProxy.
I think this is actually a bug in the DockerHub vuln scanning - my gut feeling is that Go 1.20 is being misinterpreted as Go 1.2 (I've seen that a bunch in other systems that parse the number as a float instead of a version string).
For example, it's reporting a very old issue fixed in Go 1.4.3, which we're definitely not vulnerable to 😂
Thanks for the quick response, all. I hope Docker Hub fixes it.
they fixed it pretty fast:
Ha, thanks for reporting that!
Are these vulnerabilities listed in the docker hub concerning?