Update gosu version due to CVEs

[holomekc]

Summary

After email contact I was asked to create it here. Not sure under which type, security did not work for me and suggested the email approach I tried. So here we go:

gosu dropped the runc lib to prevent the security issues they faced in the past last year in November: https://github.com/tianon/gosu/releases/tag/1.17

Can you please update to 1.17 of the gosu lib. At the moment my security tab has multiple CVEs open, because I use your docker image as base:

• CVE-2024-21626 (High)
• CVE-2019-19921 (High)
• CVE-2023-27561 (Moderate)
• Default inheritable capabilities for linux container should be empty (Moderate)
• rootless: /sys/fs/cgroup is writable when cgroupns isn't unshared in runc (Low)

All of them are related to runc

References

No response

[tomakehurst]

Fixed in 95368c00e583c99f362c10ced423d350413d9dbc