Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade runc to latest. #109

Closed
coltonfreeman26 opened this issue May 25, 2022 · 7 comments · Fixed by #110
Closed

Upgrade runc to latest. #109

coltonfreeman26 opened this issue May 25, 2022 · 7 comments · Fixed by #110

Comments

@coltonfreeman26
Copy link

coltonfreeman26 commented May 25, 2022
edited
Loading

Good day all,
I am wondering if there are any plans to update the version of runc you use?
Currently you are on 1.1.0 and runc 1.1.2 was released a couple of weeks ago.
Thank you.

Usage: gosu user-spec command [args]
   eg: gosu tianon bash
       gosu nobody:root bash -c 'whoami && id'
       gosu 1000:1 id

gosu version: 1.14 (go1.16.7 on linux/amd64; gc)
gosu license: Apache-2.0 (full text at https://github.com/tianon/gosu)

I just read that gosu 1.14 uses runc 1.0.1
@tianon
Copy link
Owner

tianon commented May 25, 2022

Yeah, I'll update the go.mod to point to the newer version, but I will warn that I don't plan to make a new release that contains that change as there are no functional changes to the bits of runc that gosu actually invokes which make a new release worth doing.

@tianon tianon mentioned this issue May 25, 2022
Merged
@tianon
Copy link
Owner

tianon commented May 25, 2022

(If this is CVE-motivated, I'd suggest checking out #104)

@coltonfreeman26
Copy link
Author

Thank you for getting back so quickly. I have looked there and this is CVE-motivated.
GHSA-f3fp-gc8g-vw66
Please let me know if there is any other information you need.

@tianon tianon mentioned this issue May 25, 2022
Closed
@tianon
Copy link
Owner

tianon commented May 25, 2022

Thanks, added!

  • CVE-2022-29162: does not use capabilities (#109)

@olljanat
Copy link

@tianon can you also release new version with this fix included?

@adberger
Copy link

@tianon I would also love to have a new gosu release with runc v1.1.2.
Our security scanner is listing these CVEs because it has no context or information like this: #104
Making exceptions seems unnecessary.

If you really don't intend to release a new version, am I allowed to build my own version?
gosu is Apache License Version 2.0

@tianon
Copy link
Owner

tianon commented Jun 20, 2022

#104 (comment):

I try to keep the main development branch up-to-date with newer package versions, but I have no plans to make a new release of gosu unless there is a compelling reason to do so (changes to/CVEs in the actual codepaths gosu invokes, changes to gosu itself, etc).

(You really should report anything like this to your security scanner vendor -- they're 100% false-positives.)

If you really don't intend to release a new version, am I allowed to build my own version?

You are free to make your own builds of gosu, yes (distributions like Debian already do this, even with different versions of the dependencies than I do). If you are doing more than just rebuilding the upstream project as-is, I only request that you call your project/binaries something other than gosu. ❤️

@yosifkit yosifkit mentioned this issue Sep 7, 2022
Closed
tianon referenced this issue Oct 25, 2022
@tianon
Update to Go 1.19, Alpine 3.16, runc 1.1.4
e407282
@samuelkarp samuelkarp mentioned this issue Nov 14, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update to runc 1.1.2 self-five/gosu
4 participants
@tianon @olljanat @adberger @coltonfreeman26