Skip to content

Updating gosu in order to patch critical vulns in Go 1.18.2 #490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Updating gosu in order to patch critical vulns in Go 1.18.2 #490

wants to merge 1 commit into from
+200 −200

Conversation

@aaronmaxlevy
Copy link

@aaronmaxlevy aaronmaxlevy commented Nov 14, 2025

Gosu version 1.17 uses Go version 1.18.2 which has some critical severity vulnerabilities in it (e.g. CVE-2025-22871). This will significantly reduce the vulnerability count in the official Redis Docker images for 6.x and 7.x .

@jit-ci
Copy link

jit-ci bot commented Nov 14, 2025

Hi, I’m Jit, a friendly security platform designed to help developers build secure applications from day zero with an MVS (Minimal viable security) mindset.

In case there are security findings, they will be communicated to you as a comment inside the PR.

Hope you’ll enjoy using Jit.

Questions? Comments? Want to learn more? Get in touch with us.

@kalinstaykov kalinstaykov requested a review from Copilot November 15, 2025 08:59
Copilot finished reviewing on behalf of kalinstaykov November 15, 2025 09:01
Copilot AI reviewed Nov 15, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR upgrades gosu from version 1.17 to 1.19 to address critical Go vulnerabilities (e.g., CVE-2025-22871) present in Go 1.18.2 which was used in gosu 1.17. This security update reduces the vulnerability count in official Redis Docker images for versions 6.x and 7.x.

  • Updated gosu version from 1.17 to 1.19 across all Redis versions
  • Updated download URLs for all supported architectures to reference the new gosu 1.19 release
  • Updated SHA256 checksums for all architecture-specific binaries

Reviewed Changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.

Show a summary per file
File Description
versions.json Updated gosu version and SHA256 hashes for all Redis versions (6.2, 7.0, 7.2, 7.4, 7.4-rc) and all architectures
7.4/debian/Dockerfile Updated GOSU_VERSION environment variable and architecture-specific URLs/hashes
7.4/alpine/Dockerfile Updated GOSU_VERSION environment variable and architecture-specific URLs/hashes
7.4-rc/debian/Dockerfile Updated GOSU_VERSION environment variable and architecture-specific URLs/hashes
7.4-rc/alpine/Dockerfile Updated GOSU_VERSION environment variable and architecture-specific URLs/hashes
7.2/debian/Dockerfile Updated GOSU_VERSION environment variable and architecture-specific URLs/hashes
7.2/alpine/Dockerfile Updated GOSU_VERSION environment variable and architecture-specific URLs/hashes
7.0/debian/Dockerfile Updated GOSU_VERSION environment variable and architecture-specific URLs/hashes
7.0/alpine/Dockerfile Updated GOSU_VERSION environment variable and architecture-specific URLs/hashes
6.2/debian/Dockerfile Updated GOSU_VERSION environment variable and architecture-specific URLs/hashes
6.2/alpine/Dockerfile Updated GOSU_VERSION environment variable and architecture-specific URLs/hashes

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aaronmaxlevy