francislavoie
commented
1 year ago Almost all of those are from very old Go versions. It's not relevant.
Closed JVimes closed 1 year ago
francislavoie
commented
1 year ago Almost all of those are from very old Go versions. It's not relevant.
JVimes
commented
1 year ago Thank you, does that mean caddy:latest is using an old Go version for ARMv7?
mholt
commented
1 year ago No, we always use the latest Go version.
JVimes
commented
1 year ago Great. Just to clarify, this makes Caddy look worse to potential new users:
mholt
commented
1 year ago It should make it look better, as these are discovered and patched vulnerabilities. Who knows how many more memory vulns lurk in the dark of NGINX and HAProxy.
hairyhenderson
commented
1 year ago I think this is actually a bug in the DockerHub vuln scanning - my gut feeling is that Go 1.20 is being misinterpreted as Go 1.2 (I've seen that a bunch in other systems that parse the number as a float instead of a version string).
For example, it's reporting a very old issue fixed in Go 1.4.3, which we're definitely not vulnerable to 😂
JVimes
commented
1 year ago Thanks for the quick response, all. I hope Docker Hub fixes it.
hairyhenderson
commented
1 year ago they fixed it pretty fast:
mholt
commented
1 year ago Ha, thanks for reporting that!
Are these vulnerabilities listed in the docker hub concerning?