From a8f3da4ec7ddd8240c71ddbc1f23b48aae408a23 Mon Sep 17 00:00:00 2001 From: dan Date: Mon, 31 Mar 2025 23:37:51 +0200 Subject: [PATCH 1/5] Upgrade latest golang image version --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 28186a8..cf82cc4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.20-alpine AS builder +FROM golang:1.24-alpine AS builder ENV WALG_VERSION=v1.1 From dcc5e98b1efea477d1a34be16dcf3bdfd5d6269f Mon Sep 17 00:00:00 2001 From: dan Date: Mon, 31 Mar 2025 23:44:23 +0200 Subject: [PATCH 2/5] Latest WAL-G version still does not include the fix for the reported vulnerability on golang.org/x/crypto so adding command to upgrade it to latest available in the build process --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index cf82cc4..155ffba 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,6 +9,7 @@ RUN set -ex \ && git clone https://github.com/wal-g/wal-g/ $GOPATH/src/wal-g \ && cd $GOPATH/src/wal-g/ \ && git checkout $WALG_VERSION \ + && go get -u golang.org/x/crypto@v0.36.0 \ && make install \ && make deps \ && make pg_build \ From 6353948094425647bcc9c4b375b59f9a25f92374 Mon Sep 17 00:00:00 2001 From: dan Date: Mon, 31 Mar 2025 23:53:13 +0200 Subject: [PATCH 3/5] Upgrades postgres 14 alpine image to latest available --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 155ffba..7f6f8dd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ RUN set -ex \ && install main/pg/wal-g / \ && /wal-g --help -FROM postgres:14.15-alpine3.19 +FROM postgres:14.17-alpine3.21 RUN apk add --update iputils htop curl busybox-suid jq \ && curl -sOL https://cronitor.io/dl/linux_amd64.tar.gz \ From 876b49f86de4e838ec7d5b46d0c0d614383b4fe1 Mon Sep 17 00:00:00 2001 From: dan Date: Tue, 1 Apr 2025 23:32:02 +0200 Subject: [PATCH 4/5] Upgrades go packages to resolve security vulnerabilities --- Dockerfile | 34 ++++++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7f6f8dd..61cdcec 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,7 +9,29 @@ RUN set -ex \ && git clone https://github.com/wal-g/wal-g/ $GOPATH/src/wal-g \ && cd $GOPATH/src/wal-g/ \ && git checkout $WALG_VERSION \ - && go get -u golang.org/x/crypto@v0.36.0 \ + # Update all dependencies safely + && go mod tidy \ + && go mod download \ + # Resolves vulnerability CVE-2021-38561 - Out-of-bounds Read + && go get golang.org/x/text@v0.3.7 \ + # Resolves vulnerabilities CVE-2023-44487, CVE-2021-44716, CVE-2022-41723 & CVE-2022-27664 - Denial of Service (DoS) + # Resolves vulnerability CVE-2023-45288 & CVE-2023-39325- Allocation of Resources Without Limits or Throttling + && go get golang.org/x/net/http2@v0.34.0 \ + # Resolves vulnerability CVE-2023-44487 - Denial of Service (DoS) + && go get google.golang.org/grpc@v1.71.1 \ + # Resolves vulnerability CVE-2025-22868 - Allocation of Resources Without Limits or Throttling + && go get golang.org/x/oauth2@v0.28.0 \ + # Resolves vulnerability CVE-2024-27304 - SQL Injection + && go get github.com/jackc/pgproto3/v2@v2.3.3 \ + # Resolves vulnerability CVE-2024-27304 - SQL Injection + && go get github.com/jackc/pgx/v5@v5.5.4 \ + # Resolves vulnerability CVE-2020-26160 - Access Restriction Bypass + && go get github.com/dgrijalva/jwt-go/v4@v4.0.0-preview1 \ + # Resolves vulnerability CVE-2024-45337 - Incorrect Implementation of Authentication Algorithm + # Resolves vulnerability CVE-2025-22869 - Allocation of Resources Without Limits or Throttling + # Resolves vulnerability CVE-2020-29652 - NULL Pointer Dereference + # Resolves vulnerability CVE-2021-43565 - Denial of Service (DoS) + && go get -u golang.org/x/crypto@v0.35.0 \ && make install \ && make deps \ && make pg_build \ @@ -21,7 +43,7 @@ FROM postgres:14.17-alpine3.21 RUN apk add --update iputils htop curl busybox-suid jq \ && curl -sOL https://cronitor.io/dl/linux_amd64.tar.gz \ && tar xvf linux_amd64.tar.gz -C /usr/bin/ \ - && apk upgrade + && apk upgrade --no-cache # Copy compiled wal-g binary from builder COPY --from=builder /wal-g /usr/local/bin @@ -31,21 +53,21 @@ RUN mkdir -p /usr/local/scripts COPY scripts/setup-master.sh /docker-entrypoint-initdb.d/ COPY scripts/setup-slave.sh /docker-entrypoint-initdb.d/ RUN chown -R root:postgres /docker-entrypoint-initdb.d/ -RUN chmod -R 775 /docker-entrypoint-initdb.d + && chmod -R 775 /docker-entrypoint-initdb.d # Add WAL-G backup script COPY scripts/walg_caller.sh /usr/local/scripts/ COPY scripts/base_backup.sh /usr/local/scripts/ RUN chown -R root:postgres /usr/local/scripts -RUN chmod -R 775 /usr/local/scripts + && chmod -R 775 /usr/local/scripts # Add custom entrypoint COPY scripts/entrypoint.sh / RUN chmod +x /entrypoint.sh # Add cron permissions to postgres user -RUN chown -R root:postgres /etc/crontabs/root -RUN chmod g+rw /etc/crontabs/root +RUN chown -R root:postgres /etc/crontabs/root \ + && chmod g+rw /etc/crontabs/root ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] CMD ["postgres"] From 056d44c12e48a22b0aa04668f44ab453a6c65c37 Mon Sep 17 00:00:00 2001 From: dan Date: Wed, 2 Apr 2025 09:53:13 +0200 Subject: [PATCH 5/5] Removes github.com/jackc packages due to inconsistency between versions and adds missing backslashes --- Dockerfile | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index 61cdcec..ecc043a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,9 +9,6 @@ RUN set -ex \ && git clone https://github.com/wal-g/wal-g/ $GOPATH/src/wal-g \ && cd $GOPATH/src/wal-g/ \ && git checkout $WALG_VERSION \ - # Update all dependencies safely - && go mod tidy \ - && go mod download \ # Resolves vulnerability CVE-2021-38561 - Out-of-bounds Read && go get golang.org/x/text@v0.3.7 \ # Resolves vulnerabilities CVE-2023-44487, CVE-2021-44716, CVE-2022-41723 & CVE-2022-27664 - Denial of Service (DoS) @@ -21,17 +18,16 @@ RUN set -ex \ && go get google.golang.org/grpc@v1.71.1 \ # Resolves vulnerability CVE-2025-22868 - Allocation of Resources Without Limits or Throttling && go get golang.org/x/oauth2@v0.28.0 \ - # Resolves vulnerability CVE-2024-27304 - SQL Injection - && go get github.com/jackc/pgproto3/v2@v2.3.3 \ - # Resolves vulnerability CVE-2024-27304 - SQL Injection - && go get github.com/jackc/pgx/v5@v5.5.4 \ - # Resolves vulnerability CVE-2020-26160 - Access Restriction Bypass + # Resolves vulnerability CVE-2024-27304 - SQL Injection \ && go get github.com/dgrijalva/jwt-go/v4@v4.0.0-preview1 \ # Resolves vulnerability CVE-2024-45337 - Incorrect Implementation of Authentication Algorithm # Resolves vulnerability CVE-2025-22869 - Allocation of Resources Without Limits or Throttling # Resolves vulnerability CVE-2020-29652 - NULL Pointer Dereference # Resolves vulnerability CVE-2021-43565 - Denial of Service (DoS) && go get -u golang.org/x/crypto@v0.35.0 \ + # Update all dependencies safely + && go mod tidy \ + && go mod download \ && make install \ && make deps \ && make pg_build \ @@ -52,13 +48,13 @@ COPY --from=builder /wal-g /usr/local/bin RUN mkdir -p /usr/local/scripts COPY scripts/setup-master.sh /docker-entrypoint-initdb.d/ COPY scripts/setup-slave.sh /docker-entrypoint-initdb.d/ -RUN chown -R root:postgres /docker-entrypoint-initdb.d/ +RUN chown -R root:postgres /docker-entrypoint-initdb.d/ \ && chmod -R 775 /docker-entrypoint-initdb.d # Add WAL-G backup script COPY scripts/walg_caller.sh /usr/local/scripts/ COPY scripts/base_backup.sh /usr/local/scripts/ -RUN chown -R root:postgres /usr/local/scripts +RUN chown -R root:postgres /usr/local/scripts \ && chmod -R 775 /usr/local/scripts # Add custom entrypoint