Security Vulnerabilities in postgis/postgis:15-3.5 (Go 1.18.2, libxslt1.1, CVE-2023-39325)

[vivekshiva444]

Description

Hi,

We are using the postgis/postgis:15-3.5 image, and a security scan has identified multiple vulnerabilities that pose a security risk.
Most of these vulnerabilities originate from outdated dependencies like Go 1.18.2, libxslt1.1, and Debian 11.11 as the base image.

• Go 1.18.2: 3 Critical.
• libxslt1.1: 2 vulnerabilities.
• CVE-2023-39325 is still present.

Can you confirm if a patched version is planned or if there are any recommended workarounds?

Thanks!

[ImreSamu]

Dear @vivekshiva444 ,

Thank you for your report. Please refer to the “Security Scanner Information” section in our repository’s README for details on what actions we can and cannot take:

• https://github.com/postgis/docker-postgis?tab=readme-ov-file#security-scanner-information

Additional security information is available in the upstream docker-postgres repository:

• https://github.com/search?q=repo%3Adocker-library%2Fpostgres+security+scanner&type=issues
• https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
• Remove gosu based CVE by building gosu with current golang image docker-library/postgres#1323

Our Dockerfile is extreme simple and is rebuilt every Monday:

• https://github.com/postgis/docker-postgis/blob/master/15-3.5/Dockerfile

We do have plans to move to a Debian 12-based image; however, I don't believe that this will resolve the false positive security warnings.

Thank you for your understanding.

Best regards,
Imre

---

How you can verify this for yourself:

• Check the base image in our Dockerfile at https://github.com/postgis/docker-postgis/blob/master/15-3.5/Dockerfile
  • it uses postgres:15-bullseye
• Compare the security scan results of the base image ( postgres:15-bullseye ) with those of the postgis/postgis:15-3.5 image
• In theory, you should see the same warnings in both cases.

---

Your list:

• "Go 1.18.2: 3 Critical."
  • gosu related; see: https://github.com/search?q=repo%3Adocker-library%2Fpostgres+security+scanner+gosu&type=issues
• "libxslt1.1: 2 vulnerabilities. "
  • maybe a "apt update && apt upgrade " will solve this.
• "CVE-2023-39325 is still present."
  • see https://github.com/search?q=repo%3Atianon%2Fgosu+%22CVE-2023-39325%29%22&type=issues

---

checking any upstream updates:

$ docker pull postgis/postgis:15-3.5
....
$ docker run -it --rm postgis/postgis:15-3.5 bash
root@70be48f306a1:/# apt update
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://deb.debian.org/debian-security bullseye-security InRelease [27.2 kB]           
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]                       
Get:4 http://apt.postgresql.org/pub/repos/apt bullseye-pgdg InRelease [129 kB]                
Get:5 http://deb.debian.org/debian bullseye/main amd64 Packages [8,066 kB]
Get:6 http://apt.postgresql.org/pub/repos/apt bullseye-pgdg/15 amd64 Packages [2,575 B]
Get:7 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [354 kB]
Get:8 http://apt.postgresql.org/pub/repos/apt bullseye-pgdg/main amd64 Packages [367 kB]
Get:9 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [18.8 kB]       
Fetched 9,125 kB in 2s (3,764 kB/s)                                                       
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@70be48f306a1:/# apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  libxslt1.1 tzdata
2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 546 kB of archives.
After this operation, 1,024 B disk space will be freed.
Do you want to continue? [Y/n] Y
Get:1 http://deb.debian.org/debian-security bullseye-security/main amd64 tzdata all 2025a-0+deb11u1 [306 kB]
Get:2 http://deb.debian.org/debian-security bullseye-security/main amd64 libxslt1.1 amd64 1.1.34-4+deb11u2 [240 kB]
Fetched 546 kB in 0s (2,101 kB/s)   
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 14269 files and directories currently installed.)
Preparing to unpack .../tzdata_2025a-0+deb11u1_all.deb ...
Unpacking tzdata (2025a-0+deb11u1) over (2024b-0+deb11u1) ...
Preparing to unpack .../libxslt1.1_1.1.34-4+deb11u2_amd64.deb ...
Unpacking libxslt1.1:amd64 (1.1.34-4+deb11u2) over (1.1.34-4+deb11u1) ...
Setting up tzdata (2025a-0+deb11u1) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 78.)
debconf: falling back to frontend: Readline

Current default time zone: 'Etc/UTC'
Local time is now:      Mon Mar 31 05:15:15 UTC 2025.
Universal Time is now:  Mon Mar 31 05:15:15 UTC 2025.
Run 'dpkg-reconfigure tzdata' if you wish to change it.

Setting up libxslt1.1:amd64 (1.1.34-4+deb11u2) ...
Processing triggers for libc-bin (2.31-13+deb11u11) ...

At the moment, only the libxslt1.1 dependency can be updated. If this issue is considered extremely critical, we may need to ask the upstream Postgres repository to rebuild the image.

[vivekshiva444]

Dear Imre,

Thank you for your prompt and detailed response. I appreciate the clarification regarding the vulnerabilities originating from the upstream PostgreSQL image and the information on how PostGIS rebuilds its images weekly.

As per your suggestion, we will include the following command in our container to update libxslt1.1 and mitigate its vulnerabilities.RUN apt-get update && apt-get upgrade -y libxslt1.1.

Additionally, we will compare the security scan results of postgres:15-bullseye and postgis/postgis:15-3.5 to verify that the reported issues align with the upstream base image.

Thank you again for your guidance. Looking forward to future updates, especially regarding the transition to a Debian 12-based image.

Best regards,
Vivek Shiva