Skip to content

Security Vulnerabilities in postgis/postgis:15-3.5 (Go 1.18.2, libxslt1.1, CVE-2023-39325) #415

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
vivekshiva444 opened this issue Mar 31, 2025 · 2 comments
Open

Security Vulnerabilities in postgis/postgis:15-3.5 (Go 1.18.2, libxslt1.1, CVE-2023-39325) #415

vivekshiva444 opened this issue Mar 31, 2025 · 2 comments

Comments

@vivekshiva444
Copy link

vivekshiva444 commented Mar 31, 2025
edited
Loading

Description

Hi,

We are using the postgis/postgis:15-3.5 image, and a security scan has identified multiple vulnerabilities that pose a security risk.
Most of these vulnerabilities originate from outdated dependencies like Go 1.18.2, libxslt1.1, and Debian 11.11 as the base image.

  • Go 1.18.2: 3 Critical.
  • libxslt1.1: 2 vulnerabilities.
  • CVE-2023-39325 is still present.

Can you confirm if a patched version is planned or if there are any recommended workarounds?

Thanks!
@ImreSamu
Copy link
Member

Dear @vivekshiva444 ,

Thank you for your report. Please refer to the “Security Scanner Information” section in our repository’s README for details on what actions we can and cannot take:

Additional security information is available in the upstream docker-postgres repository:

Our Dockerfile is extreme simple and is rebuilt every Monday:

We do have plans to move to a Debian 12-based image; however, I don't believe that this will resolve the false positive security warnings.

Thank you for your understanding.

Best regards,
Imre

How you can verify this for yourself:

Your list:

checking any upstream updates:

$ docker pull postgis/postgis:15-3.5
....
$ docker run -it --rm postgis/postgis:15-3.5 bash
root@70be48f306a1:/# apt update
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://deb.debian.org/debian-security bullseye-security InRelease [27.2 kB]           
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]                       
Get:4 http://apt.postgresql.org/pub/repos/apt bullseye-pgdg InRelease [129 kB]                
Get:5 http://deb.debian.org/debian bullseye/main amd64 Packages [8,066 kB]
Get:6 http://apt.postgresql.org/pub/repos/apt bullseye-pgdg/15 amd64 Packages [2,575 B]
Get:7 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [354 kB]
Get:8 http://apt.postgresql.org/pub/repos/apt bullseye-pgdg/main amd64 Packages [367 kB]
Get:9 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [18.8 kB]       
Fetched 9,125 kB in 2s (3,764 kB/s)                                                       
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@70be48f306a1:/# apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  libxslt1.1 tzdata
2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 546 kB of archives.
After this operation, 1,024 B disk space will be freed.
Do you want to continue? [Y/n] Y
Get:1 http://deb.debian.org/debian-security bullseye-security/main amd64 tzdata all 2025a-0+deb11u1 [306 kB]
Get:2 http://deb.debian.org/debian-security bullseye-security/main amd64 libxslt1.1 amd64 1.1.34-4+deb11u2 [240 kB]
Fetched 546 kB in 0s (2,101 kB/s)   
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 14269 files and directories currently installed.)
Preparing to unpack .../tzdata_2025a-0+deb11u1_all.deb ...
Unpacking tzdata (2025a-0+deb11u1) over (2024b-0+deb11u1) ...
Preparing to unpack .../libxslt1.1_1.1.34-4+deb11u2_amd64.deb ...
Unpacking libxslt1.1:amd64 (1.1.34-4+deb11u2) over (1.1.34-4+deb11u1) ...
Setting up tzdata (2025a-0+deb11u1) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 78.)
debconf: falling back to frontend: Readline

Current default time zone: 'Etc/UTC'
Local time is now:      Mon Mar 31 05:15:15 UTC 2025.
Universal Time is now:  Mon Mar 31 05:15:15 UTC 2025.
Run 'dpkg-reconfigure tzdata' if you wish to change it.

Setting up libxslt1.1:amd64 (1.1.34-4+deb11u2) ...
Processing triggers for libc-bin (2.31-13+deb11u11) ...

At the moment, only the libxslt1.1 dependency can be updated. If this issue is considered extremely critical, we may need to ask the upstream Postgres repository to rebuild the image.

@vivekshiva444
Copy link
Author

Dear Imre,

Thank you for your prompt and detailed response. I appreciate the clarification regarding the vulnerabilities originating from the upstream PostgreSQL image and the information on how PostGIS rebuilds its images weekly.

As per your suggestion, we will include the following command in our container to update libxslt1.1 and mitigate its vulnerabilities.RUN apt-get update && apt-get upgrade -y libxslt1.1.

Additionally, we will compare the security scan results of postgres:15-bullseye and postgis/postgis:15-3.5 to verify that the reported issues align with the upstream base image.

Thank you again for your guidance. Looking forward to future updates, especially regarding the transition to a Debian 12-based image.

Best regards,
Vivek Shiva

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ImreSamu @vivekshiva444