Update to gosu 1.17

[zhangguanzhang]

Update to gosu 1.17 https://github.com/tianon/gosu/releases/tag/1.17 Fixes cve

usr/local/bin/gosu (gobinary)

Total: 5 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 2, CRITICAL: 0)

┌────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2023-27561 │ HIGH     │ fixed  │ v1.1.0            │ 1.1.5         │ runc: volume mount race condition (regression of       │
│                                │                │          │        │                   │               │ CVE-2019-19921)                                        │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-27561             │
│                                ├────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────────┤
│                                │ CVE-2024-21626 │          │        │                   │ 1.1.12        │ runc: file descriptor leak                             │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-21626             │
│                                ├────────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────────────────┤
│                                │ CVE-2022-29162 │ MEDIUM   │        │                   │ 1.1.2         │ runc: incorrect handling of inheritable capabilities   │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-29162             │
│                                ├────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────────┤
│                                │ CVE-2023-28642 │          │        │                   │ 1.1.5         │ runc: AppArmor can be bypassed when `/proc` inside the │
│                                │                │          │        │                   │               │ container is symlinked...                              │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-28642             │
│                                ├────────────────┼──────────┤        │                   │               ├────────────────────────────────────────────────────────┤
│                                │ CVE-2023-25809 │ LOW      │        │                   │               │ runc: Rootless runc makes `/sys/fs/cgroup` writable    │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-25809             │
└────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

[tianon]

To be extremely and explicitly clear, those CVEs are false positives in gosu and should 100% be reported to your scanning tool vendor (as described in https://github.com/tianon/gosu/blob/master/SECURITY.md).

I agree that we should update gosu to 1.17, but I very strongly disagree that these CVE fixes are a solid justification for doing so.