2026-02-17 01:04:47 +00:00
6 changed files with 27 additions and 8 deletions
--- a/.woodpecker/api.yml
+++ b/.woodpecker/api.yml
@@ -29,7 +29,7 @@ variables:

 services:
  postgres:
-    image: postgres:17-alpine
+    image: postgres:17.7-alpine3.22
    environment:
      POSTGRES_DB: test_db
      POSTGRES_USER: test_user
--- a/docker-compose.swarm.portainer.yml
+++ b/docker-compose.swarm.portainer.yml
@@ -117,7 +117,7 @@ services:
  # For external Authentik, configure OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET in .env
  #
  # authentik-postgres:
-  #   image: postgres:17-alpine
+  #   image: postgres:17.7-alpine3.22
  #   environment:
  #     POSTGRES_USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
  #     POSTGRES_PASSWORD: ${AUTHENTIK_POSTGRES_PASSWORD:-authentik_password}
--- a/docker-compose.swarm.yml
+++ b/docker-compose.swarm.yml
@@ -141,7 +141,7 @@ services:
  # For external Authentik, configure OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET in .env
  #
  # authentik-postgres:
-  #   image: postgres:17-alpine
+  #   image: postgres:17.7-alpine3.22
  #   env_file: .env
  #   environment:
  #     POSTGRES_USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -69,7 +69,7 @@ services:
  # Authentik PostgreSQL
  # ======================
  # authentik-postgres:
-  #   image: postgres:17-alpine
+  #   image: postgres:17.7-alpine3.22
  #   container_name: mosaic-authentik-postgres
  #   restart: unless-stopped
  #   environment:
--- a/docker/docker-compose.build.yml
+++ b/docker/docker-compose.build.yml
@@ -71,7 +71,7 @@ services:
  # Authentik PostgreSQL
  # ======================
  authentik-postgres:
-    image: postgres:17-alpine
+    image: postgres:17.7-alpine3.22
    container_name: mosaic-authentik-postgres
    restart: unless-stopped
    environment:
--- a/docker/postgres/Dockerfile
+++ b/docker/postgres/Dockerfile
@@ -1,9 +1,28 @@
-FROM postgres:17-alpine
+# Stage 1: Rebuild gosu with patched Go compiler
+# gosu 1.19 (bundled in postgres base image) was built with Go 1.24.6, which contains:
+#   - CVE-2025-68121 (CRITICAL): crypto/tls vulnerability
+#   - CVE-2025-58183 (HIGH): archive/tar unbounded allocation
+#   - CVE-2025-61726 (HIGH): net/url memory exhaustion
+#   - CVE-2025-61728 (HIGH): archive/zip CPU exhaustion
+#   - CVE-2025-61729 (HIGH): crypto/x509 DoS
+#   - CVE-2025-61730 (HIGH): TLS 1.3 handshake vulnerability
+# Rebuilding from source with Go 1.26 (Alpine 3.22) eliminates all Go stdlib CVEs.
+FROM golang:1.26-alpine3.22 AS gosu-builder
+
+ARG GOSU_VERSION=1.19
+RUN CGO_ENABLED=0 go install -ldflags '-s -w' -trimpath github.com/tianon/gosu@v${GOSU_VERSION}
+
+# Stage 2: PostgreSQL with pgvector and patched gosu
+FROM postgres:17.7-alpine3.22

 LABEL maintainer="Mosaic Stack <dev@mosaic.local>"
-LABEL description="PostgreSQL 17 with pgvector extension"
+LABEL description="PostgreSQL 17 with pgvector extension and patched gosu"

-# Update Alpine packages to patch Go stdlib vulnerabilities (CVE-2025-58183, CVE-2025-61726, CVE-2025-61728, CVE-2025-61729)
+# Replace vulnerable gosu binary with version rebuilt using Go 1.26
+COPY --from=gosu-builder /go/bin/gosu /usr/local/bin/gosu
+RUN chmod +sx /usr/local/bin/gosu && gosu nobody true
+
+# Update Alpine packages for any remaining OS-level patches
 RUN apk update && apk upgrade

 # Install build dependencies for pgvector