a67793581 opened a new issue, #2247: URL: https://github.com/apache/age/issues/2247
**Describe the bug** The Docker image `apache/age:release_PG17_1.6.0` contains 4 high security vulnerabilities, which poses a security risk when used in production environments. **How are you accessing AGE (Command line, driver, etc.)?** - Docker image **What data setup do we need to do?** N/A - This is a base image security issue, not related to data setup. **What is the necessary configuration info needed?** - Using the official Apache AGE Docker image: `apache/age:release_PG17_1.6.0` - Docker image scanning reveals: 0 Critical, 4 High, 9 Medium, 29 Low vulnerabilities **What is the command that caused the error?** ```dockerfile FROM apache/age:release_PG17_1.6.0 ``` When scanning the image with Docker security tools, the following vulnerabilities are detected: ``` Current image vulnerabilities: 0C 4H 9M 29L ``` **Expected behavior** The base Docker image should be regularly updated to patch known security vulnerabilities. The image should have minimal or no high-severity vulnerabilities, especially for production use. **Environment (please complete the following information):** - Version: `apache/age:release_PG17_1.6.0` - PostgreSQL Version: 17 - AGE Version: 1.6.0 **Additional context** This issue affects anyone using the official Apache AGE Docker image as a base image. The vulnerabilities should be addressed by: 1. Updating base packages in the image 2. Rebuilding and publishing a new image version with security patches 3. Providing regular security updates for the Docker image The Dockerfile in question: ```dockerfile FROM apache/age:release_PG17_1.6.0 ARG PG_MAJOR=17 ADD https://github.com/pgvector/pgvector.git#v0.8.1 /tmp/pgvector RUN apt-get update && \ apt-mark hold locales && \ apt-get install -y --no-install-recommends build-essential postgresql-server-dev-$PG_MAJOR && \ cd /tmp/pgvector && \ make clean && \ make OPTFLAGS="" && \ make install && \ mkdir /usr/share/doc/pgvector && \ cp LICENSE README.md /usr/share/doc/pgvector && \ rm -r /tmp/pgvector && \ apt-get remove -y build-essential postgresql-server-dev-$PG_MAJOR && \ apt-get autoremove -y && \ apt-mark unhold locales && \ rm -rf /var/lib/apt/lists/* ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
