redis icon indicating copy to clipboard operation
redis copied to clipboard

Published 20 hours ago verified publisher icon docker-library

This version of gosu is bringing cves

Open dogruis opened this issue 11 months ago • 3 comments
trafficstars

https://github.com/redis/docker-library-redis/blob/e5650da99bb377b2ed4f9f1ef993ff24729b1c16/7.4/alpine/Dockerfile#L24

https://github.com/tianon/gosu/issues/151 I created an issue to fix the cve errors

linked to https://github.com/redis/redis/issues/13663

After reading this thread I am convinced that gosu shouldn't be used at all. As the lib hasn't had a release in more than a year and the lib owner refuses to bump the golang version anytime soon to 1.23. https://github.com/tianon/gosu/issues/136

dogruis avatar Nov 21 '24 14:11 dogruis

Just for the update the owner of the lib is refusing to update his library to fix CVEs as stated in his readme. I understand there is false positives but still maintaining libraries should be a thing. https://github.com/tianon/gosu/issues/136

dogruis avatar Dec 02 '24 11:12 dogruis

@dogruis is there a plan to remove gosu? Or will these vulns remain present in the image

charles-horel-rogers avatar Feb 24 '25 20:02 charles-horel-rogers

I am not part of the redis team and I requested something to be done. Tbh I would not use gosu as there is command line alternatives.

dogruis avatar Feb 24 '25 20:02 dogruis

@oranagra @sundb @enjoy-binbin tenemos alguna novedad

Image

frankyjquintero avatar Mar 17 '25 15:03 frankyjquintero

Hi @frankyjquintero,

from what I see, I would categorize this as a false-positive, but we will take a deeper look. @adamiBs FYI.

@tianon Could you please confirm the following:

  1. You are addressing CVE-s related to Go that are related to interfaces that impact gosu. Because there might be security issues in Go that are irrelevant to gosu, Docker Hub's CVE reporting might include false-positives. So it reports a CVE in Go that has no impact on gosu or the Docker containers that use gosuin the entrypoint script. Is this understanding correct?
  2. The command gosu is used to runredis-server under the user redis if no --user flag is specified when starting the container. This seems to be a safeguard mechanism to avoid running the process under root within the container. You can still restrict it more by running the container via docker run --user redis redis.

Regards, David

dmaier-redislabs avatar Mar 17 '25 16:03 dmaier-redislabs

Yes, that is correct (on both counts).

tianon avatar Mar 17 '25 22:03 tianon

@peter-sh Resolves this in an upcoming release: https://github.com/redis/docker-library-redis/pull/435

adamiBs avatar Mar 26 '25 14:03 adamiBs

Our latest RC image contains the fix for this: https://hub.docker.com/layers/library/redis/8.0-rc1/images/sha256-4e04eab2df86d0f888262215afdf467f2509962a7c1818ac4cac9590912dfcd5

adamiBs avatar Apr 14 '25 10:04 adamiBs

Great but when is this release coming! it's been many many months and still no new tag? You already had a fix months ago what we are asking is a new tag containing the fixes

dogruis avatar Apr 14 '25 10:04 dogruis

The link I sent is a docker tag that contains this fix. @dogruis

adamiBs avatar Apr 15 '25 07:04 adamiBs

Not really, it's a release candidate and not a release. So I would wait for a new release instead. Thanks a lot!!!!!

dogruis avatar Apr 15 '25 08:04 dogruis

We are very close to the 8.0 GA release. Sorry, but we cannot share the exact date.

LiorKogan avatar Apr 15 '25 08:04 LiorKogan

Will this fix be merged into redis 6 and redis 7?

rayhsieh avatar May 02 '25 09:05 rayhsieh