Debian Stable gosu version is still 1.14-1

[abraunegg]

Hi there,

The Debian Stable version of gosu is still 1.14-1 as per https://tracker.debian.org/pkg/gosu

What is happening is that Docker security scans is detecting that there is a critical vulnerability in stdlib 1.19.8 - which it is reporting is coming from gosu:

Docker Reported Vulnerabilities

Package Use

The command that Docker Security Scan is flagging is the following:

RUN /bin/sh -c apt-get clean && apt-get update && apt-get upgrade -y && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends gosu libcurl4 libsqlite3-0 ca-certificates libphobos2-ldc-shared100 && rm -rf /var/lib/apt/lists/* && /usr/bin/c_rehash && mkdir -p /onedrive/conf /onedrive/data # buildkit

Can you please update / release a security release of 1.16 to Debian ?

[tianon]

For the purposes of Debian's build of gosu, the only actual change is in version.go: https://github.com/tianon/gosu/compare/1.14...1.16#diff-1ef170619a70876f007d5edfc4554a81aa686eae7678b70df0347b3133cd6d14 :sweat_smile:

(So to put that more directly, I won't be doing an update of gosu in Debian when there wouldn't be any actual substantive change by doing so. :innocent:)

[abraunegg]

For the purposes of Debian's build of gosu, the only actual change is in version.go: 1.14...1.16#diff-1ef170619a70876f007d5edfc4554a81aa686eae7678b70df0347b3133cd6d14 😅

(So to put that more directly, I won't be doing an update of gosu in Debian when there wouldn't be any actual substantive change by doing so. 😇)

No problem.

Any idea then why the Docker security scan is providing that viewpoint ? Any insight you have would be greatly appreciated.

[tianon]

https://tracker.debian.org/pkg/gosu & https://buildd.debian.org/status/package.php?p=gosu (1.17 is now in Debian Unstable, especially to include #134)