Upgrade Go version 1.23.4 and pkg github.com/moby/sys/user, golang.org/x/sys

[vkamlesh]

No description provided.

[tianon]

See https://github.com/tianon/gosu/blob/master/SECURITY.md#version-updates

(I don't believe there have been any actual functional updates to the code we use that warrant updating)

[Bezuhlyi]

@tianon Maybe releasing a version that consists of two parts (functional version + golang version -> gosu-1.17_1.23.4) could help with the concern that if there are no functional changes, you should not release the new version just because of the newer golang used for the build? Similar to how they version Flink images.

I'd deeply appreciate having the option to download the newer version of gosu and put it on top of the Filink image rather than wasting time on requesting and justifying an exception for the dozens of golang vulnerabilities highlighted by Jfrog Xray scanner. It's a common request, after all, let's have some solution.

The guides like this https://internetworking.dev/mitigating-gosu-security-concerns/ is crazy.

//cc @vkamlesh

[m0t1x]

Maybe, from the functionality point of view, vulnerabilities detected are not a threat, since docker build process is a local process and maybe gosu is not using those functionalities reported by the scanner. Still, using Golang release which is almost 3 years old, and because the whole update process is really not a complex task, I think it is worth while to do this update. Like suggested by @Bezuhlyi , using a docker like tag convention app-ver_os-ver, which can in your case be app-ver_go-ver is pretty good idea.

[jeremymayhew]

Seems like a bad posture to me @tianon. The official Postgres Docker container uses gosu and inherits all the 1.18.2 golang CVEs. Sure, they may be harmless for how gosu is used, but that doesn't mean it isn't an irritant for the less informed. Seems like a dependency refresh every year or two wouldn't be a bad thing. And it will keep you relevant instead of making people want to fork or replace gosu. I could care less about gosu, but I keep inheriting these CVEs. Please consider a refresh patch release or Bezuhlyi/m0t1x's lovely recommendation. And man, an easy button is just teed up for you right here.

[tobiasbaehr]

I think we can close this here.