mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(#363): use pre-built gosu image instead of go install

Browse Source 
gosu doesn't publish proper Go module semver tags, so
`go install github.com/tianon/gosu@v1.19` fails with "no matching
versions". Replace the multi-stage golang builder with
`COPY --from=tianon/gosu /gosu /usr/local/bin/gosu`, which pulls the
pre-built binary from the official tianon/gosu Docker image. This image
is rebuilt with recent Go toolchains, so it still addresses the Go
stdlib CVEs documented in the Dockerfile comments.

Fixes #363

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-12 16:03:55 -06:00
parent 8020101cc8
commit 6335459799
1 changed files with 8 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
docker/postgres/Dockerfile
View File

@@ -1,25 +1,22 @@
# Stage 1: Rebuild gosu with patched Go compiler # PostgreSQL with pgvector and up-to-date gosu
# gosu 1.19 (bundled in postgres base image) was built with Go 1.24.6, which contains: #
# Override the base image's gosu binary with the latest from tianon/gosu.
# The postgres base image bundles gosu built with Go 1.24.6, which contains:
# - CVE-2025-68121 (CRITICAL): crypto/tls vulnerability # - CVE-2025-68121 (CRITICAL): crypto/tls vulnerability
# - CVE-2025-58183 (HIGH): archive/tar unbounded allocation # - CVE-2025-58183 (HIGH): archive/tar unbounded allocation
# - CVE-2025-61726 (HIGH): net/url memory exhaustion # - CVE-2025-61726 (HIGH): net/url memory exhaustion
# - CVE-2025-61728 (HIGH): archive/zip CPU exhaustion # - CVE-2025-61728 (HIGH): archive/zip CPU exhaustion
# - CVE-2025-61729 (HIGH): crypto/x509 DoS # - CVE-2025-61729 (HIGH): crypto/x509 DoS
# - CVE-2025-61730 (HIGH): TLS 1.3 handshake vulnerability # - CVE-2025-61730 (HIGH): TLS 1.3 handshake vulnerability
# Rebuilding from source with Go 1.26 (Alpine 3.22) eliminates all Go stdlib CVEs. # The tianon/gosu image is rebuilt with recent Go toolchains, eliminating these CVEs.
FROM golang:1.26-alpine3.22 AS gosu-builder # Using COPY --from avoids `go install` failures (gosu lacks semver Go module tags).
ARG GOSU_VERSION=1.19
RUN CGO_ENABLED=0 go install -ldflags '-s -w' -trimpath github.com/tianon/gosu@v${GOSU_VERSION}
# Stage 2: PostgreSQL with pgvector and patched gosu
FROM postgres:17.7-alpine3.22 FROM postgres:17.7-alpine3.22
LABEL maintainer="Mosaic Stack <dev@mosaic.local>" LABEL maintainer="Mosaic Stack <dev@mosaic.local>"
LABEL description="PostgreSQL 17 with pgvector extension and patched gosu" LABEL description="PostgreSQL 17 with pgvector extension and patched gosu"
# Replace vulnerable gosu binary with version rebuilt using Go 1.26 # Replace vulnerable gosu binary with latest pre-built version from tianon/gosu
COPY --from=gosu-builder /go/bin/gosu /usr/local/bin/gosu COPY --from=tianon/gosu /gosu /usr/local/bin/gosu
RUN chmod +sx /usr/local/bin/gosu && gosu nobody true RUN chmod +sx /usr/local/bin/gosu && gosu nobody true
# Update Alpine packages for any remaining OS-level patches # Update Alpine packages for any remaining OS-level patches