Laurent Goderre

The version of xz in this version is not affected by this CVE. As per https://www.cve.org/CVERecord?id=CVE-2024-3094 the version affected starts at 5.6.0 and as per https://hub.docker.com/layers/library/python/3.11.9-alpine3.19/images/sha256-3912f7fe31112ee0f747848328e1a2b225a3aad18d0800bac6e13042642fd202?context=explore the version in the...

I think it's normal that only `/proc/1/fd/2` works because it's the output of process number 1. Using `self` would refer to another process when running it from a shell.

Maybe this part of the Dockerfile is relevant: https://github.com/docker-library/php/blob/master/8.3/bookworm/fpm/Dockerfile#L271-L272

Depends on https://github.com/anchore/packageurl-go/pull/18

Duplicate of #1007

I can't find this usecase in the MySQL documentation. It's possible that it isn't meant to be configurable.

These are false positive. https://github.com/tianon/gosu/blob/master/SECURITY.md

Stdlib is the Golang standard library which gosu used. However, the go compiler only uses what the source code uses so the vulnerable part of the library is not used...

I notice the absence of a port when creating the container. I believe that xdebug2 uses port 9000 while xdebug3 uses 9003 so you might need to export that port...

I didn't find any relevant error no.