Upgrade runc version from v1.0.1 to v1.1.4 to resolve CVE-2022-29162

tianon / gosu

Simple Go-based setuid+setgid+setgroups+exec

Apache License 2.0

4.73k stars 321 forks source link

Upgrade runc version from v1.0.1 to v1.1.4 to resolve CVE-2022-29162 #117

Closed iyuhptop closed 2 years ago

iyuhptop commented 2 years ago

As the title says, v1.0.1 use runc with version v1.0.1 contains a vulnerability: CVE-2022-29162 , can we upgrade the runc version to v1.1.4 ? The vulnerability is fixed in: 1.1.2

tianon commented 2 years ago

See #104, specifically:

CVE-2022-29162: does not change process capabilities

iyuhptop commented 2 years ago

My code is pulled from tag 1.14... Maybe gosu should create a new release?

tianon commented 2 years ago

CVEs that do not apply to builds of gosu: ... If you use (or maintain) a security scanner which reports any of these against gosu, please report them to the security vendor as false positives.

I try to keep the main development branch up-to-date with newer package versions, but I have no plans to make a new release of gosu unless there is a compelling reason to do so (changes to/CVEs in the actual codepaths gosu invokes, changes to gosu itself, etc).

iyuhptop commented 2 years ago

Got , Thank you