`gosu` is a universe package in Ubuntu, and from what i can see was inherited from `side` at version 1.17.1
https://packages.debian.org/sid/gosu I see no open bugs against `gosu` : https://bugs.debian.org/cgi- bin/pkgreport.cgi?src=gosu , and it needs to be confirmed that it's built against golang 1.17 in `debian`. Not my expertise normally the correct move would be to go upstream first. Since i control things on the Ubuntu side for cloud-images, i'll move the ticket around there. I'll also make it public as it's not a new security vulnerability (private security bugs are for new disclosures, not for tracking already announced vulnerabilities). Public Ubuntu tracking of the golang vulnerability: https://ubuntu.com/security/CVE-2024-24790 Note, since this is reported against Noble, i _believe_ this is an incorrect match. I'm working on double checking, but in noble, the golangs have been patched (both 1.21 and 1.22) It's likely a bad version string match. but i've listed this against `gosu` for someone to double check my assertions. `gosu` in noble is building against `golang- go=1.22` http://archive.ubuntu.com/ubuntu/pool/universe/g/gosu/gosu_1.17-1.dsc ** Also affects: gosu (Ubuntu) Importance: Undecided Status: New ** Changed in: cloud-images Status: New => Invalid ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-24790 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2072883 Title: Docker scout reports critical and high vulnerabilities for Ubuntu docker images with installed gosu To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-images/+bug/2072883/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
