search

tianon / gosu

Simple Go-based setuid+setgid+setgroups+exec
Apache License 2.0
4.68k stars 312 forks source link

CVE-2023-24538 and CVE-2023-24540 reported in stdlib as reported by Trivy security scanner #141

Closed tgagor closed 3 months ago

tgagor commented 3 months ago

Hey,

We use gosu in few of our Docker images and we also use Trivy security scanner before app deployment and since few days Trivy detects two critical vulnerabilities in gosu:

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                         Title                          │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-24538 │ CRITICAL │ fixed  │ 1.18.2            │ 1.19.8, 1.20.3 │ golang: html/template: backticks not treated as string │
│         │                │          │        │                   │                │ delimiters                                             │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-24538             │
│         ├────────────────┤          │        │                   ├────────────────┼────────────────────────────────────────────────────────┤
│         │ CVE-2023-24540 │          │        │                   │ 1.19.9, 1.20.4 │ golang: html/template: improper handling of JavaScript │
│         │                │          │        │                   │                │ whitespace                                             │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-24540             │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────────┘

I doubt that gosu is heavily impacted by those issues, but it's anyway detected and just annoying. Would it be possible to rebuild gosu and release new version with up to date deps?

tianon commented 3 months ago

https://github.com/tianon/gosu/blob/master/SECURITY.md

tgagor commented 3 months ago

Thanks for the answer and sorry I didn't spot it before.