Thread: BUG #18702: Critical & High Security vulnerability issue with Trivy Scan in postgres 16
BUG #18702: Critical & High Security vulnerability issue with Trivy Scan in postgres 16
From
PG Bug reporting form
Date:
The following bug has been logged on the website: Bug reference: 18702 Logged by: Sathyendran Vellaisamy Email address: sathyendran.vellaisamy@intel.com PostgreSQL version: 16.0 Operating system: Ubuntu Description: Hi Team, We are using postgres 16 docker image from hub and we found some Critical and High vulnerability. This fix is essential for our releases. Please provide fix for the vulnerability issue below. Below is the report from Trivy scan: Trivy Vulnerability Scan Results (usr/local/bin/gosu) VulnerabilityID Severity CVSS Score Title Library Vulnerable Version Fixed Version Information URL Triage Information CVE-2023-24538 CRITICAL 9.8 golang: html/template: backticks not treated as string delimiters stdlib 1.18.2 1.19.8, 1.20.3 https://avd.aquasec.com/nvd/cve-2023-24538 CVE-2023-24540 CRITICAL 9.8 golang: html/template: improper handling of JavaScript whitespace stdlib 1.18.2 1.19.9, 1.20.4 https://avd.aquasec.com/nvd/cve-2023-24540 CVE-2024-24790 CRITICAL 9.8 golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses stdlib 1.18.2 1.21.11, 1.22.4 https://avd.aquasec.com/nvd/cve-2024-24790 CVE-2022-27664 HIGH 7.5 golang: net/http: handle server errors after sending GOAWAY stdlib 1.18.2 1.18.6, 1.19.1 https://avd.aquasec.com/nvd/cve-2022-27664 CVE-2022-28131 HIGH 7.5 golang: encoding/xml: stack exhaustion in Decoder.Skip stdlib 1.18.2 1.17.12, 1.18.4 https://avd.aquasec.com/nvd/cve-2022-28131 CVE-2022-2879 HIGH 7.5 golang: archive/tar: unbounded memory consumption when reading headers stdlib 1.18.2 1.18.7, 1.19.2 https://avd.aquasec.com/nvd/cve-2022-2879 CVE-2022-2880 HIGH 7.5 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters stdlib 1.18.2 1.18.7, 1.19.2 https://avd.aquasec.com/nvd/cve-2022-2880 CVE-2022-29804 HIGH 7.5 ELSA-2022-17957: ol8addon security update (IMPORTANT) stdlib 1.18.2 1.17.11, 1.18.3 https://avd.aquasec.com/nvd/cve-2022-29804 CVE-2022-30580 HIGH 7.8 golang: os/exec: Code injection in Cmd.Start stdlib 1.18.2 1.17.11, 1.18.3 https://avd.aquasec.com/nvd/cve-2022-30580 CVE-2022-30630 HIGH 7.5 golang: io/fs: stack exhaustion in Glob stdlib 1.18.2 1.17.12, 1.18.4 https://avd.aquasec.com/nvd/cve-2022-30630 CVE-2022-30631 HIGH 7.5 golang: compress/gzip: stack exhaustion in Reader.Read stdlib 1.18.2 1.17.12, 1.18.4 https://avd.aquasec.com/nvd/cve-2022-30631 CVE-2022-30632 HIGH 7.5 golang: path/filepath: stack exhaustion in Glob stdlib 1.18.2 1.17.12, 1.18.4 https://avd.aquasec.com/nvd/cve-2022-30632 CVE-2022-30633 HIGH 7.5 golang: encoding/xml: stack exhaustion in Unmarshal stdlib 1.18.2 1.17.12, 1.18.4 https://avd.aquasec.com/nvd/cve-2022-30633 CVE-2022-30634 HIGH 7.5 ELSA-2022-17957: ol8addon security update (IMPORTANT) stdlib 1.18.2 1.17.11, 1.18.3 https://avd.aquasec.com/nvd/cve-2022-30634 CVE-2022-30635 HIGH 7.5 golang: encoding/gob: stack exhaustion in Decoder.Decode stdlib 1.18.2 1.17.12, 1.18.4 https://avd.aquasec.com/nvd/cve-2022-30635 CVE-2022-32189 HIGH 7.5 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service stdlib 1.18.2 1.17.13, 1.18.5 https://avd.aquasec.com/nvd/cve-2022-32189 CVE-2022-41715 HIGH 7.5 golang: regexp/syntax: limit memory used by parsing regexps stdlib 1.18.2 1.18.7, 1.19.2 https://avd.aquasec.com/nvd/cve-2022-41715 CVE-2022-41716 HIGH 7.5 Due to unsanitized NUL values, attackers may be able to maliciously se ... stdlib 1.18.2 1.18.8, 1.19.3 https://avd.aquasec.com/nvd/cve-2022-41716 CVE-2022-41720 HIGH 7.5 golang: os, net/http: avoid escapes from os.DirFS and http.Dir on Windows stdlib 1.18.2 1.18.9, 1.19.4 https://avd.aquasec.com/nvd/cve-2022-41720 CVE-2022-41722 HIGH 7.5 golang: path/filepath: path-filepath filepath.Clean path traversal stdlib 1.18.2 1.19.6, 1.20.1 https://avd.aquasec.com/nvd/cve-2022-41722 CVE-2022-41723 HIGH 7.5 golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding stdlib 1.18.2 1.19.6, 1.20.1 https://avd.aquasec.com/nvd/cve-2022-41723 CVE-2022-41724 HIGH 7.5 golang: crypto/tls: large handshake records may cause panics stdlib 1.18.2 1.19.6, 1.20.1 https://avd.aquasec.com/nvd/cve-2022-41724 CVE-2022-41725 HIGH 7.5 golang: net/http, mime/multipart: denial of service from excessive resource consumption stdlib 1.18.2 1.19.6, 1.20.1 https://avd.aquasec.com/nvd/cve-2022-41725 CVE-2023-24534 HIGH 7.5 golang: net/http, net/textproto: denial of service from excessive memory allocation stdlib 1.18.2 1.19.8, 1.20.3 https://avd.aquasec.com/nvd/cve-2023-24534 CVE-2023-24536 HIGH 7.5 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption stdlib 1.18.2 1.19.8, 1.20.3 https://avd.aquasec.com/nvd/cve-2023-24536 CVE-2023-24537 HIGH 7.5 golang: go/parser: Infinite loop in parsing stdlib 1.18.2 1.19.8, 1.20.3 https://avd.aquasec.com/nvd/cve-2023-24537 CVE-2023-24539 HIGH 7.3 golang: html/template: improper sanitization of CSS values stdlib 1.18.2 1.19.9, 1.20.4 https://avd.aquasec.com/nvd/cve-2023-24539 CVE-2023-29400 HIGH 7.3 golang: html/template: improper handling of empty HTML attributes stdlib 1.18.2 1.19.9, 1.20.4 https://avd.aquasec.com/nvd/cve-2023-29400 CVE-2023-29403 HIGH 7.8 golang: runtime: unexpected behavior of setuid/setgid binaries stdlib 1.18.2 1.19.10, 1.20.5 https://avd.aquasec.com/nvd/cve-2023-29403 CVE-2023-39325 HIGH 7.5 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) stdlib 1.18.2 1.20.10, 1.21.3 https://avd.aquasec.com/nvd/cve-2023-39325 CVE-2023-45283 HIGH 7.5 The filepath package does not recognize paths with a \\??\\ prefix as sp ... stdlib 1.18.2 1.20.11, 1.21.4, 1.20.12, 1.21.5 https://avd.aquasec.com/nvd/cve-2023-45283 CVE-2023-45287 HIGH 7.5 golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges. stdlib 1.18.2 1.20.0 https://avd.aquasec.com/nvd/cve-2023-45287 CVE-2023-45288 HIGH golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS stdlib 1.18.2 1.21.9, 1.22.2 https://avd.aquasec.com/nvd/cve-2023-45288 CVE-2024-34156 HIGH encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion stdlib 1.18.2 1.22.7, 1.23.1 https://avd.aquasec.com/nvd/cve-2024-34156 CVE-2022-1705 MEDIUM 6.5 golang: net/http: improper sanitization of Transfer-Encoding header stdlib 1.18.2 1.17.12, 1.18.4 https://avd.aquasec.com/nvd/cve-2022-1705 CVE-2022-1962 MEDIUM 5.5 golang: go/parser: stack exhaustion in all Parse* functions stdlib 1.18.2 1.17.12, 1.18.4 https://avd.aquasec.com/nvd/cve-2022-1962 CVE-2022-32148 MEDIUM 6.5 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working stdlib 1.18.2 1.17.12, 1.18.4 https://avd.aquasec.com/nvd/cve-2022-32148 CVE-2022-41717 MEDIUM 5.3 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests stdlib 1.18.2 1.18.9, 1.19.4 https://avd.aquasec.com/nvd/cve-2022-41717 CVE-2023-24532 MEDIUM 5.3 golang: crypto/internal/nistec: specific unreduced P-256 scalars produce incorrect results stdlib 1.18.2 1.19.7, 1.20.2 https://avd.aquasec.com/nvd/cve-2023-24532 CVE-2023-29406 MEDIUM 6.5 golang: net/http: insufficient sanitization of Host header stdlib 1.18.2 1.19.11, 1.20.6 https://avd.aquasec.com/nvd/cve-2023-29406 CVE-2023-29409 MEDIUM 5.3 golang: crypto/tls: slow verification of certificate chains containing large RSA keys stdlib 1.18.2 1.19.12, 1.20.7, 1.21.0-rc.4 https://avd.aquasec.com/nvd/cve-2023-29409 CVE-2023-39318 MEDIUM 6.1 golang: html/template: improper handling of HTML-like comments within script contexts stdlib 1.18.2 1.20.8, 1.21.1 https://avd.aquasec.com/nvd/cve-2023-39318 CVE-2023-39319 MEDIUM 6.1 golang: html/template: improper handling of special tags within script contexts stdlib 1.18.2 1.20.8, 1.21.1 https://avd.aquasec.com/nvd/cve-2023-39319 CVE-2023-39326 MEDIUM 5.3 golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests stdlib 1.18.2 1.20.12, 1.21.5 https://avd.aquasec.com/nvd/cve-2023-39326 CVE-2023-45284 MEDIUM 5.3 On Windows, The IsLocal function does not correctly detect reserved de ... stdlib 1.18.2 1.20.11, 1.21.4 https://avd.aquasec.com/nvd/cve-2023-45284 CVE-2023-45289 MEDIUM golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect stdlib 1.18.2 1.21.8, 1.22.1 https://avd.aquasec.com/nvd/cve-2023-45289 CVE-2023-45290 MEDIUM golang: net/http: golang: mime/multipart: golang: net/textproto: memory exhaustion in Request.ParseMultipartForm stdlib 1.18.2 1.21.8, 1.22.1 https://avd.aquasec.com/nvd/cve-2023-45290 CVE-2024-24783 MEDIUM golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm stdlib 1.18.2 1.21.8, 1.22.1 https://avd.aquasec.com/nvd/cve-2024-24783 CVE-2024-24784 MEDIUM golang: net/mail: comments in display names are incorrectly handled stdlib 1.18.2 1.21.8, 1.22.1 https://avd.aquasec.com/nvd/cve-2024-24784 CVE-2024-24785 MEDIUM golang: html/template: errors returned from MarshalJSON methods may break template escaping stdlib 1.18.2 1.21.8, 1.22.1 https://avd.aquasec.com/nvd/cve-2024-24785 CVE-2024-24789 MEDIUM 5.5 golang: archive/zip: Incorrect handling of certain ZIP files stdlib 1.18.2 1.21.11, 1.22.4 https://avd.aquasec.com/nvd/cve-2024-24789 CVE-2024-24791 MEDIUM net/http: Denial of service due to improper 100-continue handling in net/http stdlib 1.18.2 1.21.12, 1.22.5 https://avd.aquasec.com/nvd/cve-2024-24791 CVE-2024-34155 MEDIUM go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion stdlib 1.18.2 1.22.7, 1.23.1 https://avd.aquasec.com/nvd/cve-2024-34155 CVE-2024-34158 MEDIUM go/build/constraint: golang: Calling Parse on a \// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion" stdlib 1.18.2 1.22.7, 1.23.1 https://avd.aquasec.com/nvd/cve-2024-34158 CVE-2022-30629 LOW 3.1 golang: crypto/tls: session tickets lack random ticket_age_add stdlib 1.18.2 1.17.11, 1.18.3 https://avd.aquasec.com/nvd/cve-2022-30629 Thanks, Sathyendran
Re: BUG #18702: Critical & High Security vulnerability issue with Trivy Scan in postgres 16
From
"David G. Johnston"
Date:
On Tuesday, November 12, 2024, PG Bug reporting form <noreply@postgresql.org> wrote:
The following bug has been logged on the website:
Bug reference: 18702
Logged by: Sathyendran Vellaisamy
Email address: sathyendran.vellaisamy@intel.com
PostgreSQL version: 16.0
Operating system: Ubuntu
Description:
If you are scanning the unsupported v16.0 instead of a latest supported release (a new one comes out this week) then you are not doing things correctly and you need to change your own procedures to ensure you only test and use supported releases.
David J.
Re: BUG #18702: Critical & High Security vulnerability issue with Trivy Scan in postgres 16
From
Daniel Gustafsson
Date:
> On 12 Nov 2024, at 11:12, PG Bug reporting form <noreply@postgresql.org> wrote: > We are using postgres 16 docker image from hub and we found some Critical > and High vulnerability. The postgres docker image is not maintained by the postgres committers, the page on docker.com lists (and links to) "Maintained by: the PostgreSQL Docker Community" as the ones you should be contacting. They may call it "Docker Official Image" but that doesn't mean it's official by postgresql.org. > This fix is essential for our releases. Please provide fix for the > vulnerability issue below. While it's none of my business, but if something which you are unsure over who maintains is essential to your business, then maybe consider compiling a Docker image yourself inhouse? -- Daniel Gustafsson