docker/postgres/Dockerfile

@@ -1,25 +1,22 @@
-# Stage 1: Rebuild gosu with patched Go compiler
-# gosu 1.19 (bundled in postgres base image) was built with Go 1.24.6, which contains:
+# PostgreSQL with pgvector and up-to-date gosu
+#
+# Override the base image's gosu binary with the latest from tianon/gosu.
+# The postgres base image bundles gosu built with Go 1.24.6, which contains:
 #   - CVE-2025-68121 (CRITICAL): crypto/tls vulnerability
 #   - CVE-2025-58183 (HIGH): archive/tar unbounded allocation
 #   - CVE-2025-61726 (HIGH): net/url memory exhaustion
 #   - CVE-2025-61728 (HIGH): archive/zip CPU exhaustion
 #   - CVE-2025-61729 (HIGH): crypto/x509 DoS
 #   - CVE-2025-61730 (HIGH): TLS 1.3 handshake vulnerability
-# Rebuilding from source with Go 1.26 (Alpine 3.22) eliminates all Go stdlib CVEs.
-FROM golang:1.26-alpine3.22 AS gosu-builder
-
-ARG GOSU_VERSION=1.19
-RUN CGO_ENABLED=0 go install -ldflags '-s -w' -trimpath github.com/tianon/gosu@v${GOSU_VERSION}
-
-# Stage 2: PostgreSQL with pgvector and patched gosu
+# The tianon/gosu image is rebuilt with recent Go toolchains, eliminating these CVEs.
+# Using COPY --from avoids `go install` failures (gosu lacks semver Go module tags).
 FROM postgres:17.7-alpine3.22
 
 LABEL maintainer="Mosaic Stack <dev@mosaic.local>"
 LABEL description="PostgreSQL 17 with pgvector extension and patched gosu"
 
-# Replace vulnerable gosu binary with version rebuilt using Go 1.26
-COPY --from=gosu-builder /go/bin/gosu /usr/local/bin/gosu
+# Replace vulnerable gosu binary with latest pre-built version from tianon/gosu
+COPY --from=tianon/gosu /gosu /usr/local/bin/gosu
 RUN chmod +sx /usr/local/bin/gosu && gosu nobody true
 
 # Update Alpine packages for any remaining OS-level patches