mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(#363): rebuild gosu from source with Go 1.26 to fix CRITICAL CVEs

Browse Source 
The gosu 1.19 binary bundled in the postgres base image was compiled
with Go 1.24.6, which contains CVE-2025-68121 (CRITICAL) and 5 HIGH
severity Go stdlib vulnerabilities. Since upstream gosu has not released
a version built with patched Go (1.24.13+ / 1.25.7+), this adds a
multi-stage Docker build that recompiles gosu from source using Go 1.26.

Changes:
- Pin postgres base image to 17.7-alpine3.22 for reproducibility
- Add golang:1.26-alpine3.22 builder stage to compile gosu v1.19
- Replace bundled gosu binary with freshly built version
- Pin all postgres:17-alpine references across compose files and CI

CVEs fixed:
- CVE-2025-68121 (CRITICAL): Go crypto/tls vulnerability
- CVE-2025-58183 (HIGH): Go archive/tar unbounded allocation
- CVE-2025-61726 (HIGH): Go net/url memory exhaustion
- CVE-2025-61728 (HIGH): Go archive/zip CPU exhaustion
- CVE-2025-61729 (HIGH): Go crypto/x509 DoS
- CVE-2025-61730 (HIGH): Go TLS 1.3 handshake vulnerability

Fixes #363

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-12 12:38:33 -06:00
parent dce975bf4e
commit 429cf85f87
6 changed files with 27 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docker/docker-compose.build.yml
View File

@@ -71,7 +71,7 @@ services:
# Authentik PostgreSQL
# ======================
authentik-postgres:
image: postgres:17-alpine
image: postgres:17.7-alpine3.22
container_name: mosaic-authentik-postgres
restart: unless-stopped
environment:

25
docker/postgres/Dockerfile
View File

@@ -1,9 +1,28 @@
FROM postgres:17-alpine
# Stage 1: Rebuild gosu with patched Go compiler
# gosu 1.19 (bundled in postgres base image) was built with Go 1.24.6, which contains:
# - CVE-2025-68121 (CRITICAL): crypto/tls vulnerability
# - CVE-2025-58183 (HIGH): archive/tar unbounded allocation
# - CVE-2025-61726 (HIGH): net/url memory exhaustion
# - CVE-2025-61728 (HIGH): archive/zip CPU exhaustion
# - CVE-2025-61729 (HIGH): crypto/x509 DoS
# - CVE-2025-61730 (HIGH): TLS 1.3 handshake vulnerability
# Rebuilding from source with Go 1.26 (Alpine 3.22) eliminates all Go stdlib CVEs.
FROM golang:1.26-alpine3.22 AS gosu-builder
ARG GOSU_VERSION=1.19
RUN CGO_ENABLED=0 go install -ldflags '-s -w' -trimpath github.com/tianon/gosu@v${GOSU_VERSION}
# Stage 2: PostgreSQL with pgvector and patched gosu
FROM postgres:17.7-alpine3.22
LABEL maintainer="Mosaic Stack <dev@mosaic.local>"
LABEL description="PostgreSQL 17 with pgvector extension"
LABEL description="PostgreSQL 17 with pgvector extension and patched gosu"
# Update Alpine packages to patch Go stdlib vulnerabilities (CVE-2025-58183, CVE-2025-61726, CVE-2025-61728, CVE-2025-61729)
# Replace vulnerable gosu binary with version rebuilt using Go 1.26
COPY --from=gosu-builder /go/bin/gosu /usr/local/bin/gosu
RUN chmod +sx /usr/local/bin/gosu && gosu nobody true
# Update Alpine packages for any remaining OS-level patches
RUN apk update && apk upgrade
# Install build dependencies for pgvector