From dce975bf4e15efa03234b504f154191c220d590d Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason.woltje@uscllc.com>
Date: Thu, 12 Feb 2026 12:36:08 -0600
Subject: [PATCH] fix(#363): Update OpenBao image to fix CRITICAL
 CVE-2025-68121 + 4 HIGH CVEs

Pin OpenBao base image from unpinned :2 tag to :2.5.0 (latest stable,
released 2026-02-04) in both the Dockerfile and the dev docker-compose.

CVEs resolved:
- CVE-2025-68121 (CRITICAL): Go stdlib crypto/tls session resumption
- CVE-2024-8185 (HIGH): DoS via Raft join requests
- CVE-2024-9180 (HIGH): Root namespace privilege escalation
- CVE-2025-59043 (HIGH): DoS via malicious JSON
- CVE-2025-64761 (HIGH): Identity group root escalation

All fixed in OpenBao >= 2.4.4; v2.5.0 includes all patches plus new
features (horizontal read scalability, OCI plugin distribution).

Files changed:
- docker/openbao/Dockerfile: FROM tag 2 -> 2.5.0
- docker/docker-compose.yml: openbao + openbao-init image tags 2 -> 2.5.0

The production/swarm compose files use the custom-built
git.mosaicstack.dev/mosaic/stack-openbao image which is built FROM
this Dockerfile, so they inherit the fix on next CI build.

Fixes #363
---
 docker/docker-compose.yml | 4 ++--
 docker/openbao/Dockerfile | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index b10e7fd..880b97a 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -69,7 +69,7 @@ services:
       - mosaic-network
 
   openbao:
-    image: quay.io/openbao/openbao:2
+    image: quay.io/openbao/openbao:2.5.0
     container_name: mosaic-openbao
     restart: unless-stopped
     user: root
@@ -106,7 +106,7 @@ services:
       com.mosaic.description: "OpenBao secrets management"
 
   openbao-init:
-    image: quay.io/openbao/openbao:2
+    image: quay.io/openbao/openbao:2.5.0
     container_name: mosaic-openbao-init
     restart: unless-stopped
     user: root
diff --git a/docker/openbao/Dockerfile b/docker/openbao/Dockerfile
index e7d630b..e89fc08 100644
--- a/docker/openbao/Dockerfile
+++ b/docker/openbao/Dockerfile
@@ -1,4 +1,4 @@
-FROM quay.io/openbao/openbao:2
+FROM quay.io/openbao/openbao:2.5.0
 
 LABEL maintainer="Mosaic Stack <dev@mosaic.local>"
 LABEL description="OpenBao secrets management for Mosaic Stack"