search

docker-library / postgres

Docker Official Image packaging for Postgres
http://www.postgresql.org
MIT License
2.14k stars 1.11k forks source link

Use of GOSU introduces critical CVEs #1248

Closed matt-gribben closed 3 weeks ago

matt-gribben commented 3 weeks ago

The use of GOSU introduces critical vulnerabilities that mean this image can't be used in many production environments. The cause is that the current release of GOSU uses Go 1.18.2 and these issues were fixed in 1.19.9

Two of these are 9.8s [CVE-2023-24540⁠] [CVE-2023-24538⁠]

This version also causes alerts for another 29 High vulnerabilities in tools like docker scout etc.

yosifkit commented 3 weeks ago

gosu is not vulnerable to those CVEs: https://github.com/tianon/gosu/blob/master/SECURITY.md. See also https://github.com/tianon/gosu/issues/136#issuecomment-2150375314. TLDR: the industry can and should do better than just spout out perceived CVE's and instead use the available data to see whether they are applicable or not (like govulncheck).

matt-gribben commented 3 weeks ago

@yosifkit I'm aware that it isn't actually vulnerable to those CVEs but that doesn't change the fact I can't deploy something that's being flagged for critical CVEs. Yes the industry should do better, but the right here and now means this is an issue. IMO