[
https://issues.apache.org/jira/browse/SOLR-17353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18072199#comment-18072199
]
Jan Høydahl edited comment on SOLR-17353 at 4/9/26 8:25 AM:
------------------------------------------------------------
Hi [~sujeet-hinge] . I have decided to re-open this JIRA. Turns out that it is
more involved than I thought.
Gosu binary links go libraries statically, so it won't help if Ubuntu upgrades
go.
So for gosu to be updated in Ubuntu, they need to either include a newer
version of it, which they tend to be reluctant to do in LTS releases, and they
are super slow at re-building such tools on newer go versions, even if they
some times do.
A majority of Solr's Docker image vulnerabilities stem from this tiny binary,
so it is worth doing something even if many of the CVEs would be false
positives.
Normally we'd benefit from docker team auto upgrading our official image tags
with new patches of ubuntu without us re-publishing an image. But since that
has proven not to work for gosu, this is a better option.
So I'll open a PR which does almost what your PR did, but a bit more involved:
* Install a version of gosu as dictated by an ARG statement, as well as it's
.asc file
* Download author's GPG key and validate the signature
was (Author: janhoy):
Hi [~sujeet-hinge] . I have decided to re-open this JIRA. Turns out that it is
more involved than I thought.
Gosu binary links go libraries statically, so it won't help if Ubuntu upgrades
go.
So for gosu to be updated in Ubuntu, they need to either include a newer
version of it, which they tend to be reluctant to do in LTS releases, and they
are super slow at re-building such tools on newer go versions, even if they
some times do.
So I'll open a PR which does almost what your PR did, but a bit more involved:
* Install a version of gosu as dictated by an ARG statement, as well as it's
.asc file
* Download author's GPG key and validate the signature
> CVE for GoLang and Ubuntu
> -------------------------
>
> Key: SOLR-17353
> URL: https://issues.apache.org/jira/browse/SOLR-17353
> Project: Solr
> Issue Type: Bug
> Components: security
> Affects Versions: 9.6
> Reporter: Sujeet Hinge
> Assignee: Jan Høydahl
> Priority: Major
> Labels: pull-request-available
> Time Spent: 40m
> Remaining Estimate: 0h
>
> During our recent security assessments, we have identified several
> vulnerabilities in the SOLR 9.6.0 package related to Golang and Ubuntu
> components. Given the potential risk to our systems, we are reaching out for
> your expertise and support in addressing these issues promptly.
> *Ubuntu Vulnerabilities:*
> · CVE-2024-33599
> · CVE-2024-2236
> · CVE-2024-33600
> · CVE-2024-26462
> · CVE-2024-22916
> · CVE-2024-31879
> *Golang Vulnerabilities in SOLR 9.6.0:*
> · CVE-2023-29402
> · CVE-2023-24538
> · CVE-2022-23806
> · CVE-2021-38297
> · CVE-2023-29405
> · CVE-2023-29404
> · CVE-2023-24540
> · CVE-2023-39323
> · CVE-2022-30633
> · CVE-2023-24534
> · CVE-2022-29804
> · CVE-2022-30630
> · CVE-2023-24539
> · CVE-2022-2880
> · CVE-2023-45285
> · CVE-2021-41771
> · CVE-2023-45287
> · CVE-2022-30631
> · CVE-2022-23772
> The component impacted includes the Golang library with the hash {{{}sha256
> 51611cdb452a872da14c789533d5aa5208d025f7d940c4367d140ca3b5e66d07{}}}. We
> urgently need to understand the potential patches or mitigation strategies
> you recommend, and the timeline for when these might be implemented in SOLR.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
