mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
429cf85f87b830a956886aefb03af7b59c10bc9a
stack/docker/postgres/Dockerfile
Jason Woltje 429cf85f87 fix(#363): rebuild gosu from source with Go 1.26 to fix CRITICAL CVEs 
The gosu 1.19 binary bundled in the postgres base image was compiled
with Go 1.24.6, which contains CVE-2025-68121 (CRITICAL) and 5 HIGH
severity Go stdlib vulnerabilities. Since upstream gosu has not released
a version built with patched Go (1.24.13+ / 1.25.7+), this adds a
multi-stage Docker build that recompiles gosu from source using Go 1.26.

Changes:
- Pin postgres base image to 17.7-alpine3.22 for reproducibility
- Add golang:1.26-alpine3.22 builder stage to compile gosu v1.19
- Replace bundled gosu binary with freshly built version
- Pin all postgres:17-alpine references across compose files and CI

CVEs fixed:
- CVE-2025-68121 (CRITICAL): Go crypto/tls vulnerability
- CVE-2025-58183 (HIGH): Go archive/tar unbounded allocation
- CVE-2025-61726 (HIGH): Go net/url memory exhaustion
- CVE-2025-61728 (HIGH): Go archive/zip CPU exhaustion
- CVE-2025-61729 (HIGH): Go crypto/x509 DoS
- CVE-2025-61730 (HIGH): Go TLS 1.3 handshake vulnerability

Fixes #363

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-12 12:38:33 -06:00

48 lines
1.8 KiB
Docker
Raw Blame History

# Stage 1: Rebuild gosu with patched Go compiler
# gosu 1.19 (bundled in postgres base image) was built with Go 1.24.6, which contains:
# - CVE-2025-68121 (CRITICAL): crypto/tls vulnerability
# - CVE-2025-58183 (HIGH): archive/tar unbounded allocation
# - CVE-2025-61726 (HIGH): net/url memory exhaustion
# - CVE-2025-61728 (HIGH): archive/zip CPU exhaustion
# - CVE-2025-61729 (HIGH): crypto/x509 DoS
# - CVE-2025-61730 (HIGH): TLS 1.3 handshake vulnerability
# Rebuilding from source with Go 1.26 (Alpine 3.22) eliminates all Go stdlib CVEs.
FROM golang:1.26-alpine3.22 AS gosu-builder
ARG GOSU_VERSION=1.19
RUN CGO_ENABLED=0 go install -ldflags '-s -w' -trimpath github.com/tianon/gosu@v${GOSU_VERSION}
# Stage 2: PostgreSQL with pgvector and patched gosu
FROM postgres:17.7-alpine3.22
LABEL maintainer="Mosaic Stack <dev@mosaic.local>"
LABEL description="PostgreSQL 17 with pgvector extension and patched gosu"
# Replace vulnerable gosu binary with version rebuilt using Go 1.26
COPY --from=gosu-builder /go/bin/gosu /usr/local/bin/gosu
RUN chmod +sx /usr/local/bin/gosu && gosu nobody true
# Update Alpine packages for any remaining OS-level patches
RUN apk update && apk upgrade
# Install build dependencies for pgvector
RUN apk add --no-cache --virtual .build-deps \
git \
build-base
# Clone and build pgvector v0.7.4 (without LLVM bitcode compilation)
RUN git clone --branch v0.7.4 https://github.com/pgvector/pgvector.git /tmp/pgvector \
&& cd /tmp/pgvector \
&& make OPTFLAGS="" with_llvm=no \
&& make install with_llvm=no \
&& rm -rf /tmp/pgvector
# Clean up build dependencies to reduce image size
RUN apk del .build-deps
# Copy initialization scripts
COPY init-scripts/ /docker-entrypoint-initdb.d/
# Expose PostgreSQL port
EXPOSE 5432
Reference in New Issue View Git Blame Copy Permalink