search

tianon / gosu

Simple Go-based setuid+setgid+setgroups+exec
Apache License 2.0
4.68k stars 312 forks source link

Update golang to 3.15 #101

Closed slakwa closed 2 years ago

slakwa commented 2 years ago

We need this update to mitigate some vulnerabilities that our Security department found

tianon commented 2 years ago

Duplicate of #98 -- there is no actual vulnerability in gosu itself that is mitigated by this update. :see_no_evil:

While I agree that this should be updated, I do not plan to make a new release from it, so I do not want to merge this under false expectations. :heart:

slakwa commented 2 years ago

Seems like they are saying that it has this vulnerability:

https://nvd.nist.gov/vuln/detail/CVE-2021-39293

@tianon can you please confirm or deny?

Also if https://github.com/tianon/gosu/pull/102 will be merged then I'm fine with closing this one

tianon commented 2 years ago

See #94 and #97 (in short, no, that's a false positive / overzealous report: gosu does not do anything with .zip files/formats, thus does not use archive/zip).