CVE-2025-1094 - Requires update PostgreSQL 17.3

[gonzalezge]

What is the bug or the crash?

PostgreSQL that is vulnerable to a critical security flaw (CVE-2025-1094). That was already patched by Postgresql. A lot of organizations/users use kartozar/postgis.

https://www.postgresql.org/about/news/postgresql-173-167-1511-1416-and-1319-released-3015/

To patch it, you need to update to 17.3,

It would be highly appreciated if you could release the updated in the docker hub registry. Just required a build and re-upload.

Thank you

Steps to reproduce the issue

Run the 17.3-5 to see the vulnerability

Versions

17.3-5

Additional context

No response

[NyakudyaA]

@gonzalezge Please feel free to submit a PR, GitHub action will push a new image when we merge the PR

[gonzalezge]

Thank you, but in this case is not necessary a PR. Is just rebuilding the image, and automatic will pick up the 17.3. I tried in locally and works.

[NyakudyaA]

Ok, will check if I can trigger the action manually

[gonzalezge]

Thank you! I think will be the same case for 16, 15, and 14, just rebuilding and updating to the latest version

https://www.postgresql.org/support/security/CVE-2025-1094/

[javeddc]

Agree this would be super useful if it's possible to have an image with the patched version 🙏

[lupiyamujalaunimelb]

My organisation also needs this update. When could we have this?

[NyakudyaA]

Pushed a new update, please pull

[NyakudyaA]

Thank you! I think will be the same case for 16, 15, and 14, just rebuilding and updating to the latest version

https://www.postgresql.org/support/security/CVE-2025-1094/

This will need a PR where we adjust the GitHub action with the build matrix for those versions

[gonzalezge]

Thank you!

[freemankevin]

I strongly recommend adding CVE scanning for PostgreSQL to this repository (https://github.com/kartoza/docker-postgis). As a mainstream database, PostgreSQL frequently exposes security issues (such as CVE-2023-xxx in the past). For Docker image projects that rely on it, it is particularly important to detect vulnerabilities in a timely manner. Manually submitting issues is inefficient and easy to miss.

It is recommended to use the security plugins provided by GitHub to achieve this, for example:

1. Enable Dependabot to detect known CVEs and automatically create fix PRs by scanning the PostgreSQL version in the Dockerfile.
2. (Optional) Integrate Code Scanning to use CodeQL to analyze potential vulnerabilities in custom scripts or configurations.

This can automate security checks, improve the security of the repository, and reduce the maintenance burden. I hope maintainers can consider this suggestion!

[gonzalezge]

I agree with @freemankevin that at least a Dependabot only for PostgreSQL versions would be nice, given that PostgreSQL is making updates frequently.

Thank you! I hope maintainers can consider this suggestion!

[NyakudyaA]

@gonzalezge @freemankevin Currently dependabot is setup to manage or update github actions https://github.com/kartoza/docker-postgis/blob/develop/.github/dependabot.yml, please feel free to do a PR adding the necessary adjustments, I will review and merge.

On the Code scanning, we currently are using Trivy to check for vulnerabilities on the published images https://github.com/kartoza/docker-postgis/blob/develop/.github/workflows/build-latest.yaml#L136-L149, please also feel free to make recommendations on the best tools to use and if you have time do a PR

Currently trivy picks the following