jrgemignani commented on issue #2357: URL: https://github.com/apache/age/issues/2357#issuecomment-4128158427
**From Opus 4.6 -** Issue #2357 Analysis: CVE-2025-68121 in AGE Docker Images **Is it Valid?** Technically valid, but the issue significantly overstates the severity. The CVE is real (CVE-2025-68121), but there are critical inaccuracies in the issue: 1. CVSS is NOT 10.0 — The GitHub Advisory Database rates it Moderate 4.8/10 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). 2. The vulnerable binary is gosu — a privilege-dropping tool in the upstream postgres:18 base image, built with Go 1.24.6. The fix requires Go >= 1.24.13. 3. gosu never uses TLS — It's a simple setuid helper (gosu postgres command). Even though crypto/tls is statically linked in the Go binary (confirmed via strings), gosu's code path never invokes TLS. The CVE requires active TLS session resumption with mutated CA pools — something gosu categorically does not do. 4. This is NOT an AGE issue — AGE is a pure C PostgreSQL extension. The AGE Dockerfiles don't install Go or any Go tools. The vulnerability comes entirely from the upstream postgres:18 base image maintained by the Docker Library team. The CVE is real (CVE-2025-68121), but there are critical inaccuracies in the issue - CVE-2025-68121 requires: 1. Active TLS session resumption 2. Mutation of `ClientCAs` or `RootCAs` between initial and resumed handshake 3. Use of `Config.Clone` or `Config.GetConfigForClient` None of these conditions can occur in `gosu`. The binary drops privileges and execs — it performs no network operations whatsoever. ### Summary | Factor | Assessment | |--------|-----------| | CVE is real | ✅ Yes | | Actual CVSS | **4.8 (Moderate)**, not 10.0 | | Vulnerable binary | `gosu` in upstream `postgres:18` base image | | Introduced by AGE | ❌ No — upstream dependency | | Exploitable in this context | ❌ No — gosu does not use TLS | | Scanner flagging | ✅ Expected — scanners detect Go build metadata | ### Recommendation This is an upstream base image issue. The fix will come when either: 1. The `postgres:18` Docker image is rebuilt with an updated `gosu` (compiled against Go ≥ 1.24.13), or 2. The `gosu` project releases a new version built with a patched Go toolchain No changes to the Apache AGE codebase or Dockerfiles are required. Rebuilding AGE Docker images against the latest `postgres:18` base will pick up the fix once it's available upstream. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
