diff --git a/.woodpecker/api.yml b/.woodpecker/api.yml index ea2736d..843057e 100644 --- a/.woodpecker/api.yml +++ b/.woodpecker/api.yml @@ -29,7 +29,7 @@ variables: services: postgres: - image: postgres:17-alpine + image: postgres:17.7-alpine3.22 environment: POSTGRES_DB: test_db POSTGRES_USER: test_user diff --git a/docker-compose.swarm.portainer.yml b/docker-compose.swarm.portainer.yml index 84a2695..538fc21 100644 --- a/docker-compose.swarm.portainer.yml +++ b/docker-compose.swarm.portainer.yml @@ -117,7 +117,7 @@ services: # For external Authentik, configure OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET in .env # # authentik-postgres: - # image: postgres:17-alpine + # image: postgres:17.7-alpine3.22 # environment: # POSTGRES_USER: ${AUTHENTIK_POSTGRES_USER:-authentik} # POSTGRES_PASSWORD: ${AUTHENTIK_POSTGRES_PASSWORD:-authentik_password} diff --git a/docker-compose.swarm.yml b/docker-compose.swarm.yml index 98145a2..0763c48 100644 --- a/docker-compose.swarm.yml +++ b/docker-compose.swarm.yml @@ -141,7 +141,7 @@ services: # For external Authentik, configure OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET in .env # # authentik-postgres: - # image: postgres:17-alpine + # image: postgres:17.7-alpine3.22 # env_file: .env # environment: # POSTGRES_USER: ${AUTHENTIK_POSTGRES_USER:-authentik} diff --git a/docker-compose.yml b/docker-compose.yml index 9b8d508..beca7d0 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -69,7 +69,7 @@ services: # Authentik PostgreSQL # ====================== # authentik-postgres: - # image: postgres:17-alpine + # image: postgres:17.7-alpine3.22 # container_name: mosaic-authentik-postgres # restart: unless-stopped # environment: diff --git a/docker/docker-compose.build.yml b/docker/docker-compose.build.yml index f7e5651..f180fe9 100644 --- a/docker/docker-compose.build.yml +++ b/docker/docker-compose.build.yml @@ -71,7 +71,7 @@ services: # Authentik PostgreSQL # ====================== authentik-postgres: - image: postgres:17-alpine + image: postgres:17.7-alpine3.22 container_name: mosaic-authentik-postgres restart: unless-stopped environment: diff --git a/docker/postgres/Dockerfile b/docker/postgres/Dockerfile index 55147d4..4774f6a 100644 --- a/docker/postgres/Dockerfile +++ b/docker/postgres/Dockerfile @@ -1,9 +1,28 @@ -FROM postgres:17-alpine +# Stage 1: Rebuild gosu with patched Go compiler +# gosu 1.19 (bundled in postgres base image) was built with Go 1.24.6, which contains: +# - CVE-2025-68121 (CRITICAL): crypto/tls vulnerability +# - CVE-2025-58183 (HIGH): archive/tar unbounded allocation +# - CVE-2025-61726 (HIGH): net/url memory exhaustion +# - CVE-2025-61728 (HIGH): archive/zip CPU exhaustion +# - CVE-2025-61729 (HIGH): crypto/x509 DoS +# - CVE-2025-61730 (HIGH): TLS 1.3 handshake vulnerability +# Rebuilding from source with Go 1.26 (Alpine 3.22) eliminates all Go stdlib CVEs. +FROM golang:1.26-alpine3.22 AS gosu-builder + +ARG GOSU_VERSION=1.19 +RUN CGO_ENABLED=0 go install -ldflags '-s -w' -trimpath github.com/tianon/gosu@v${GOSU_VERSION} + +# Stage 2: PostgreSQL with pgvector and patched gosu +FROM postgres:17.7-alpine3.22 LABEL maintainer="Mosaic Stack " -LABEL description="PostgreSQL 17 with pgvector extension" +LABEL description="PostgreSQL 17 with pgvector extension and patched gosu" -# Update Alpine packages to patch Go stdlib vulnerabilities (CVE-2025-58183, CVE-2025-61726, CVE-2025-61728, CVE-2025-61729) +# Replace vulnerable gosu binary with version rebuilt using Go 1.26 +COPY --from=gosu-builder /go/bin/gosu /usr/local/bin/gosu +RUN chmod +sx /usr/local/bin/gosu && gosu nobody true + +# Update Alpine packages for any remaining OS-level patches RUN apk update && apk upgrade # Install build dependencies for pgvector