runc in version 1.0.2

[cpontvieux-systra]

opencontainers/runc present some security issues (https://github.com/opencontainers/runc/releases), notably CVE 2019-16884 and CVE 2019-19921.

Could you please update it to version 1.0.2 and make a new release ? Thanks.

[buchdag]

Hi. This project isn't directly dependant on opencontainers/runc, but it is on fsouza/go-dockerclient, from where comes the dependency. Unless they fix their own dependency on opencontainers/runc, I don't know if we there is something we can do (please let me know if there is).

[cpontvieux-systra]

I agree on master but tag v0.7.7 https://github.com/nginx-proxy/docker-gen/blob/0.7.7/go.mod tells otherwise. So?

[cpontvieux-systra]

It seems that fsouza/go-dockerclient in version 1.7.2 includes the correct version of docker/docker (v20.10.3) despite listing incorrect version of opencontainers/runc as indirect.

I’m not familiar with go deps. Does this indirect mention have a real impact on what is bundle or is it there just for reference?

If it does have an impact, then yes I will open a issue in fsouza/go-dockerclient about it.

Also why such difference between last tag 0.7.7 and main in go.mod? Do you think it’ll be a good idea to make another release when the runc version is resolved?

[buchdag]

Also why such difference between last tag 0.7.7 and main in go.mod ? Do you think it’ll be a good idea to make another release when the runc version is resolved?

Because of #362 that has been merged to main but isn't included in a released version yet. The use of go.mod for this project is relatively new, and we inherited some crap when moving from godeps to go.mod.

I wanted to further clean the structure before releasing this as 0.8.0.

[buchdag]

@cpontvieux-systra with 0.8.0 released, is this still an issue ?

[buchdag]

Fixed in versions >= 0.8.1.