(Trivy vulnerability report) Vulnerabilities

[drnextgis]

I used Trivy to scan the postgis/postgis:16-3.4 image, and here are the findings:

postgis/postgis:16-3.4 (debian 11.8)
====================================
Total: 52 (HIGH: 46, CRITICAL: 6)

┌───────────────────┬────────────────┬──────────┬──────────────┬─────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability  │ Severity │    Status    │    Installed Version    │ Fixed Version │                            Title                             │
├───────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ bash              │ CVE-2022-3715  │ HIGH     │ affected     │ 5.1-2+deb11u1           │               │ a heap-buffer-overflow in valid_parameter_transform          │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-3715                    │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ e2fsprogs         │ CVE-2022-1304  │          │              │ 1.46.2-2                │               │ e2fsprogs: out-of-bounds read/write via crafted filesystem   │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-1304                    │
├───────────────────┼────────────────┤          ├──────────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libaom0           │ CVE-2020-0478  │          │ will_not_fix │ 1.0.0.errata1-3+deb11u1 │               │ In extend_frame_lowbd of restoration.c, there is a possible  │
│                   │                │          │              │                         │               │ out of bou ......                                            │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2020-0478                    │
├───────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libblas3          │ CVE-2021-4048  │ CRITICAL │ affected     │ 3.9.0-3+deb11u1         │               │ lapack: Out-of-bounds read in *larrv                         │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2021-4048                    │
├───────────────────┼────────────────┼──────────┤              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcom-err2       │ CVE-2022-1304  │ HIGH     │              │ 1.46.2-2                │               │ e2fsprogs: out-of-bounds read/write via crafted filesystem   │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-1304                    │
├───────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl3-gnutls   │ CVE-2023-23914 │ CRITICAL │ will_not_fix │ 7.74.0-1.3+deb11u10     │               │ curl: HSTS ignored on multiple requests                      │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-23914                   │
│                   ├────────────────┼──────────┤              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-42916 │ HIGH     │              │                         │               │ HSTS bypass via IDN                                          │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-42916                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-43551 │          │              │                         │               │ curl: HSTS bypass via IDN                                    │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-43551                   │
├───────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libdb5.3          │ CVE-2019-8457  │ CRITICAL │ affected     │ 5.3.28+dfsg1-0.8        │               │ heap out-of-bound read in function rtreenode()               │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
├───────────────────┼────────────────┼──────────┤              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libde265-0        │ CVE-2023-27103 │ HIGH     │              │ 1.0.11-0+deb11u1        │               │ Libde265 v1.0.11 was discovered to contain a heap buffer     │
│                   │                │          │              │                         │               │ overflow via ...                                             │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-27103                   │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libext2fs2        │ CVE-2022-1304  │          │              │ 1.46.2-2                │               │ e2fsprogs: out-of-bounds read/write via crafted filesystem   │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-1304                    │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libgcrypt20       │ CVE-2021-33560 │          │              │ 1.8.7-6                 │               │ mishandles ElGamal encryption because it lacks exponent      │
│                   │                │          │              │                         │               │ blinding to address a side-channel...                        │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2021-33560                   │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libhdf5-103-1     │ CVE-2018-11205 │          │              │ 1.10.6+repack-4+deb11u1 │               │ hdf5: out of bounds read in H5VM_memcpyvv in H5VM.c          │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2018-11205                   │
│                   ├────────────────┤          ├──────────────┤                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-25942 │          │ fix_deferred │                         │               │ hdf5: HDF5 Group libhdf5 gif2h5 out-of-bounds read           │
│                   │                │          │              │                         │               │ vulnerability                                                │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-25942                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-25972 │          │              │                         │               │ hdf5: HDF5 Group libhdf5 gif2h5 out-of-bounds write          │
│                   │                │          │              │                         │               │ vulnerability                                                │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-25972                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-26061 │          │              │                         │               │ hdf5: HDF5 Group libhdf5 gif2h5 heap-based buffer overflow   │
│                   │                │          │              │                         │               │ vulnerability                                                │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-26061                   │
├───────────────────┼────────────────┤          ├──────────────┤                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│ libhdf5-hl-100    │ CVE-2018-11205 │          │ affected     │                         │               │ hdf5: out of bounds read in H5VM_memcpyvv in H5VM.c          │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2018-11205                   │
│                   ├────────────────┤          ├──────────────┤                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-25942 │          │ fix_deferred │                         │               │ hdf5: HDF5 Group libhdf5 gif2h5 out-of-bounds read           │
│                   │                │          │              │                         │               │ vulnerability                                                │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-25942                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-25972 │          │              │                         │               │ hdf5: HDF5 Group libhdf5 gif2h5 out-of-bounds write          │
│                   │                │          │              │                         │               │ vulnerability                                                │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-25972                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-26061 │          │              │                         │               │ hdf5: HDF5 Group libhdf5 gif2h5 heap-based buffer overflow   │
│                   │                │          │              │                         │               │ vulnerability                                                │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-26061                   │
├───────────────────┼────────────────┤          ├──────────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libheif1          │ CVE-2023-0996  │          │ affected     │ 1.11.0-1                │               │ There is a vulnerability in the strided image data parsing   │
│                   │                │          │              │                         │               │ code in...                                                   │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-0996                    │
├───────────────────┼────────────────┼──────────┤              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ liblapack3        │ CVE-2021-4048  │ CRITICAL │              │ 3.9.0-3+deb11u1         │               │ lapack: Out-of-bounds read in *larrv                         │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2021-4048                    │
├───────────────────┼────────────────┼──────────┤              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libldap-2.4-2     │ CVE-2023-2953  │ HIGH     │              │ 2.4.57+dfsg-3+deb11u1   │               │ null pointer dereference in ber_memalloc_x function          │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-2953                    │
├───────────────────┼────────────────┼──────────┤              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libminizip1       │ CVE-2023-45853 │ CRITICAL │              │ 1.1-8+b1                │               │ zlib: integer overflow and resultant heap-based buffer       │
│                   │                │          │              │                         │               │ overflow in zipOpenNewFileInZip4_6                           │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-45853                   │
├───────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libnetcdf18       │ CVE-2019-20006 │ HIGH     │ will_not_fix │ 1:4.7.4-1               │               │ An issue was discovered in ezXML 0.8.3 through 0.8.6. The    │
│                   │                │          │              │                         │               │ function ezx...                                              │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2019-20006                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2021-26220 │          │              │                         │               │ The ezxml_toxml function in ezxml 0.8.6 and earlier is       │
│                   │                │          │              │                         │               │ vulnerable to O...                                           │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2021-26220                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2021-26221 │          │              │                         │               │ The ezxml_new function in ezXML 0.8.6 and earlier is         │
│                   │                │          │              │                         │               │ vulnerable to OOB...                                         │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2021-26221                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2021-26222 │          │              │                         │               │ The ezxml_new function in ezXML 0.8.6 and earlier is         │
│                   │                │          │              │                         │               │ vulnerable to OOB...                                         │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2021-26222                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2021-31598 │          │              │                         │               │ An issue was discovered in libezxml.a in ezXML 0.8.6. The    │
│                   │                │          │              │                         │               │ function ezx...                                              │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2021-31598                   │
├───────────────────┼────────────────┤          ├──────────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libnghttp2-14     │ CVE-2023-44487 │          │ affected     │ 1.43.0-1                │               │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable   │
│                   │                │          │              │                         │               │ to a DDoS attack...                                          │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libopenjp2-7      │ CVE-2021-3575  │          │              │ 2.4.0-3                 │               │ openjpeg: heap-buffer-overflow in color.c may lead to DoS or │
│                   │                │          │              │                         │               │ arbitrary code execution...                                  │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2021-3575                    │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libperl5.32       │ CVE-2020-16156 │          │              │ 5.32.1-4+deb11u2        │               │ Bypass of verification of signatures in CHECKSUMS files      │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2020-16156                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2023-31484 │          │              │                         │               │ perl: CPAN.pm does not verify TLS certificates when          │
│                   │                │          │              │                         │               │ downloading distributions over HTTPS...                      │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-31484                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2023-47038 │          │              │                         │               │ perl: Write past buffer end via illegal user-defined Unicode │
│                   │                │          │              │                         │               │ property                                                     │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-47038                   │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libsqlite3-0      │ CVE-2021-31239 │          │              │ 3.34.1-3                │               │ sqlite: denial of service via the appendvfs.c function       │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2021-31239                   │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libss2            │ CVE-2022-1304  │          │              │ 1.46.2-2                │               │ e2fsprogs: out-of-bounds read/write via crafted filesystem   │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-1304                    │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libssh2-1         │ CVE-2020-22218 │          │              │ 1.9.0-2                 │               │ libssh2: use-of-uninitialized-value in                       │
│                   │                │          │              │                         │               │ _libssh2_transport_read                                      │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2020-22218                   │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libtiff5          │ CVE-2023-6277  │          │              │ 4.2.0-1+deb11u5         │               │ libtiff: Out-of-memory in TIFFOpen via a craft file          │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-6277                    │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libxml2           │ CVE-2022-2309  │          │              │ 2.9.10+dfsg-6.7+deb11u4 │               │ lxml: NULL Pointer Dereference in lxml                       │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-2309                    │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libzstd1          │ CVE-2022-4899  │          │              │ 1.4.8+dfsg-2.1          │               │ zstd: mysql: buffer overrun in util.c                        │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-4899                    │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ logsave           │ CVE-2022-1304  │          │              │ 1.46.2-2                │               │ e2fsprogs: out-of-bounds read/write via crafted filesystem   │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-1304                    │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ perl              │ CVE-2020-16156 │          │              │ 5.32.1-4+deb11u2        │               │ Bypass of verification of signatures in CHECKSUMS files      │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2020-16156                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2023-31484 │          │              │                         │               │ perl: CPAN.pm does not verify TLS certificates when          │
│                   │                │          │              │                         │               │ downloading distributions over HTTPS...                      │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-31484                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2023-47038 │          │              │                         │               │ perl: Write past buffer end via illegal user-defined Unicode │
│                   │                │          │              │                         │               │ property                                                     │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-47038                   │
├───────────────────┼────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│ perl-base         │ CVE-2020-16156 │          │              │                         │               │ Bypass of verification of signatures in CHECKSUMS files      │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2020-16156                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2023-31484 │          │              │                         │               │ perl: CPAN.pm does not verify TLS certificates when          │
│                   │                │          │              │                         │               │ downloading distributions over HTTPS...                      │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-31484                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2023-47038 │          │              │                         │               │ perl: Write past buffer end via illegal user-defined Unicode │
│                   │                │          │              │                         │               │ property                                                     │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-47038                   │
├───────────────────┼────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│ perl-modules-5.32 │ CVE-2020-16156 │          │              │                         │               │ Bypass of verification of signatures in CHECKSUMS files      │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2020-16156                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2023-31484 │          │              │                         │               │ perl: CPAN.pm does not verify TLS certificates when          │
│                   │                │          │              │                         │               │ downloading distributions over HTTPS...                      │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-31484                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2023-47038 │          │              │                         │               │ perl: Write past buffer end via illegal user-defined Unicode │
│                   │                │          │              │                         │               │ property                                                     │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-47038                   │
├───────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ zlib1g            │ CVE-2023-45853 │ CRITICAL │ will_not_fix │ 1:1.2.11.dfsg-2+deb11u2 │               │ zlib: integer overflow and resultant heap-based buffer       │
│                   │                │          │              │                         │               │ overflow in zipOpenNewFileInZip4_6                           │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-45853                   │
├───────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ zstd              │ CVE-2022-4899  │ HIGH     │ affected     │ 1.4.8+dfsg-2.1          │               │ zstd: mysql: buffer overrun in util.c                        │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-4899                    │
└───────────────────┴────────────────┴──────────┴──────────────┴─────────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

usr/local/bin/gosu (gobinary)
=============================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                      Title                       │
├────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2023-27561 │ HIGH     │ fixed  │ v1.1.0            │ 1.1.5         │ runc: volume mount race condition (regression of │
│                                │                │          │        │                   │               │ CVE-2019-19921)                                  │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-27561       │
└────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────┘

[ImreSamu]

Thank you for raising this issue to the community's attention!

Currently, our Docker PostGIS repository:

• Is solely based on images from https://github.com/docker-library/postgres , maintained by Docker, Inc.
• Ensures the Docker PostGIS images are automatically regenerated every week on Monday. This is to incorporate any changes in the base PostgreSQL images or updates in Debian/Alpine packages, ensuring that updates are seamlessly integrated. see: https://github.com/postgis/docker-postgis/blob/316065820b22da6a443614ceb2a75376c7853722/.github/workflows/main.yml#L7C3-L7C25

  schedule:
  - cron: '15 5 * * 1'

We are open to any suggestions for enhancing security. Your help and ideas in this area are greatly appreciated.

---

In the Docker Library FAQ section titled : "Why does my security scanner show that an image has CVEs?" , there is additional information:

• https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves

---

For more detail:

The Dockerfile for the postgis/postgis:16-3.4 image is located here: https://github.com/postgis/docker-postgis/blob/master/16-3.4/Dockerfile As you can see, it is based on the postgres:16-bullseye image ( https://github.com/docker-library/postgres/blob/master/16/bullseye/Dockerfile ) which I assume may also include these issues. But please verify this!

You can find the discussions and resolutions regarding upstream Docker PostgreSQL issues at the following links:

• searching for repo:docker-library/postgres trivy https://github.com/search?q=repo%3Adocker-library%2Fpostgres+trivy&type=issues
• searching for repo:docker-library/postgres CVE https://github.com/search?q=repo%3Adocker-library%2Fpostgres+CVE&type=issues

Please feel free to check these resources for further information.

[drnextgis]

Thank you for the quick response! Here are the results of inspecting the base image:

postgres:16-bullseye (debian 11.8)
==================================
Total: 26 (HIGH: 24, CRITICAL: 2)

┌───────────────────┬────────────────┬──────────┬──────────────┬─────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability  │ Severity │    Status    │    Installed Version    │ Fixed Version │                            Title                             │
├───────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ bash              │ CVE-2022-3715  │ HIGH     │ affected     │ 5.1-2+deb11u1           │               │ a heap-buffer-overflow in valid_parameter_transform          │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-3715                    │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ e2fsprogs         │ CVE-2022-1304  │          │              │ 1.46.2-2                │               │ e2fsprogs: out-of-bounds read/write via crafted filesystem   │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-1304                    │
├───────────────────┤                │          │              │                         ├───────────────┤                                                              │
│ libcom-err2       │                │          │              │                         │               │                                                              │
│                   │                │          │              │                         │               │                                                              │
├───────────────────┼────────────────┼──────────┤              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libdb5.3          │ CVE-2019-8457  │ CRITICAL │              │ 5.3.28+dfsg1-0.8        │               │ heap out-of-bound read in function rtreenode()               │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
├───────────────────┼────────────────┼──────────┤              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libext2fs2        │ CVE-2022-1304  │ HIGH     │              │ 1.46.2-2                │               │ e2fsprogs: out-of-bounds read/write via crafted filesystem   │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-1304                    │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libgcrypt20       │ CVE-2021-33560 │          │              │ 1.8.7-6                 │               │ mishandles ElGamal encryption because it lacks exponent      │
│                   │                │          │              │                         │               │ blinding to address a side-channel...                        │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2021-33560                   │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libldap-2.4-2     │ CVE-2023-2953  │          │              │ 2.4.57+dfsg-3+deb11u1   │               │ null pointer dereference in ber_memalloc_x function          │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-2953                    │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libperl5.32       │ CVE-2020-16156 │          │              │ 5.32.1-4+deb11u2        │               │ Bypass of verification of signatures in CHECKSUMS files      │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2020-16156                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2023-31484 │          │              │                         │               │ perl: CPAN.pm does not verify TLS certificates when          │
│                   │                │          │              │                         │               │ downloading distributions over HTTPS...                      │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-31484                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2023-47038 │          │              │                         │               │ perl: Write past buffer end via illegal user-defined Unicode │
│                   │                │          │              │                         │               │ property                                                     │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-47038                   │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libsqlite3-0      │ CVE-2021-31239 │          │              │ 3.34.1-3                │               │ sqlite: denial of service via the appendvfs.c function       │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2021-31239                   │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libss2            │ CVE-2022-1304  │          │              │ 1.46.2-2                │               │ e2fsprogs: out-of-bounds read/write via crafted filesystem   │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-1304                    │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libxml2           │ CVE-2022-2309  │          │              │ 2.9.10+dfsg-6.7+deb11u4 │               │ lxml: NULL Pointer Dereference in lxml                       │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-2309                    │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libzstd1          │ CVE-2022-4899  │          │              │ 1.4.8+dfsg-2.1          │               │ zstd: mysql: buffer overrun in util.c                        │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-4899                    │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ logsave           │ CVE-2022-1304  │          │              │ 1.46.2-2                │               │ e2fsprogs: out-of-bounds read/write via crafted filesystem   │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-1304                    │
├───────────────────┼────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ perl              │ CVE-2020-16156 │          │              │ 5.32.1-4+deb11u2        │               │ Bypass of verification of signatures in CHECKSUMS files      │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2020-16156                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2023-31484 │          │              │                         │               │ perl: CPAN.pm does not verify TLS certificates when          │
│                   │                │          │              │                         │               │ downloading distributions over HTTPS...                      │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-31484                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2023-47038 │          │              │                         │               │ perl: Write past buffer end via illegal user-defined Unicode │
│                   │                │          │              │                         │               │ property                                                     │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-47038                   │
├───────────────────┼────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│ perl-base         │ CVE-2020-16156 │          │              │                         │               │ Bypass of verification of signatures in CHECKSUMS files      │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2020-16156                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2023-31484 │          │              │                         │               │ perl: CPAN.pm does not verify TLS certificates when          │
│                   │                │          │              │                         │               │ downloading distributions over HTTPS...                      │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-31484                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2023-47038 │          │              │                         │               │ perl: Write past buffer end via illegal user-defined Unicode │
│                   │                │          │              │                         │               │ property                                                     │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-47038                   │
├───────────────────┼────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│ perl-modules-5.32 │ CVE-2020-16156 │          │              │                         │               │ Bypass of verification of signatures in CHECKSUMS files      │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2020-16156                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2023-31484 │          │              │                         │               │ perl: CPAN.pm does not verify TLS certificates when          │
│                   │                │          │              │                         │               │ downloading distributions over HTTPS...                      │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-31484                   │
│                   ├────────────────┤          │              │                         ├───────────────┼──────────────────────────────────────────────────────────────┤
│                   │ CVE-2023-47038 │          │              │                         │               │ perl: Write past buffer end via illegal user-defined Unicode │
│                   │                │          │              │                         │               │ property                                                     │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-47038                   │
├───────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ zlib1g            │ CVE-2023-45853 │ CRITICAL │ will_not_fix │ 1:1.2.11.dfsg-2+deb11u2 │               │ zlib: integer overflow and resultant heap-based buffer       │
│                   │                │          │              │                         │               │ overflow in zipOpenNewFileInZip4_6                           │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2023-45853                   │
├───────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ zstd              │ CVE-2022-4899  │ HIGH     │ affected     │ 1.4.8+dfsg-2.1          │               │ zstd: mysql: buffer overrun in util.c                        │
│                   │                │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2022-4899                    │
└───────────────────┴────────────────┴──────────┴──────────────┴─────────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

[ImreSamu]

If security is particularly important to you, an alternative might be the PostGIS Alpine image:

• postgis/postgis:16-3.4-alpine

The base image postgres:16-alpine3.18 shows no known vulnerabilities according to Docker scanners (linux/amd64): https://hub.docker.com/_/postgres/tags?page=1&name=16-alpine3.18

https://www.alpinelinux.org = "Alpine Linux is a security-oriented, lightweight Linux distribution based on musl libc and busybox."

If even higher security is required, it would be advisable for you to build the PostGIS images yourself. This way, you can control what goes into the image.

And I can only reiterate, we are open to any suggestions for enhancing security. However, unfortunately, we cannot control the updates of Debian and Alpine distributions.

[ImreSamu]

1.) The author of https://pythonspeed.com/articles/docker-security-scanner/ recommending the trivy --ignore-unfixed option + '"If you happen to work on a security scanner, please, make sure your scanner has a “show only fixable” option, and make sure it’s on by default.'

And the result of trivy image --ignore-unfixed postgis/postgis:16-3.4 :

postgis/postgis:16-3.4 (debian 11.8)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

usr/local/bin/gosu (gobinary)
Total: 4 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

2.) The result of trivy image postgis/postgis:16-3.4-alpine

$ docker pull postgis/postgis:16-3.4-alpine
16-3.4-alpine: Pulling from postgis/postgis
Digest: sha256:a07012c92745d8f21e6cf33d846467076cfb167340750cf37c3329991f25da34
Status: Image is up to date for postgis/postgis:16-3.4-alpine
docker.io/postgis/postgis:16-3.4-alpine

$ trivy image  postgis/postgis:16-3.4-alpine
2023-11-30T09:02:58.004+0100    INFO    Need to update DB
2023-11-30T09:02:58.004+0100    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2023-11-30T09:02:58.004+0100    INFO    Downloading DB...
41.05 MiB / 41.05 MiB [-------------------------------------------------------------------------------------------------------------] 100.00% 1.24 MiB p/s 33s
2023-11-30T09:03:32.181+0100    INFO    Vulnerability scanning is enabled
2023-11-30T09:03:32.181+0100    INFO    Secret scanning is enabled
2023-11-30T09:03:32.181+0100    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-30T09:03:32.181+0100    INFO    Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection
2023-11-30T09:03:45.524+0100    INFO    Detected OS: alpine
2023-11-30T09:03:45.525+0100    INFO    Detecting Alpine vulnerabilities...
2023-11-30T09:03:45.528+0100    INFO    Number of language-specific files: 0

postgis/postgis:16-3.4-alpine (alpine 3.18.4)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

[ImreSamu]

The "Security Scanner information" has been added to the README section: https://github.com/postgis/docker-postgis#security-scanner-information

• permalink: https://github.com/postgis/docker-postgis/blob/05d285c/README.md#security-scanner-information
• commit: https://github.com/postgis/docker-postgis/commit/e99af59b9bc5eb7f5f88aed8285a582a0f94d76e

Consequently, I am closing this issue. However, if there is any important matter that was overlooked, please let me know and I will reopen the issue.

[drnextgis]

@ImreSamu, I appreciate your assistance! The switch to *-alpine resolved the issue, and it's nice to see the subject has been added to the README.