jsell-rh opened a new issue, #2357: URL: https://github.com/apache/age/issues/2357
## Summary The `apache/age` Docker images (including `release_PG18_1.7.0`, the latest release) are being flagged by container scanners for **CVE-2025-68121**, a critical vulnerability (CVSS 10.0) in Go's `crypto/tls` standard library. ## CVE Details **CVE-2025-68121** — Go `crypto/tls` session resumption auth bypass During TLS session resumption, if the underlying `Config` has its `ClientCAs` or `RootCAs` fields mutated between the initial and resumed handshake, the resumed handshake may succeed when it should have failed. This can allow certificate validation to be bypassed. - **CVSS:** 10.0 (Critical) - **Fixed in:** Go 1.24.13, Go 1.25.7, Go 1.26.0+ - **Published:** 2026-02-05 ## Impact on apache/age Images While Apache AGE is a C/SQL PostgreSQL extension, the Docker image ships with one or more Go-compiled binaries built against a vulnerable version of Go (< 1.24.13). Container scanners (Trivy, Docker Scout, etc.) detect the vulnerable Go build metadata embedded in the image and flag it. ## Requested Fix Please rebuild and publish updated Docker images compiled against **Go ≥ 1.24.13** (or ≥ 1.25.7 if on the 1.25 series). ## References - [NVD - CVE-2025-68121](https://nvd.nist.gov/vuln/detail/CVE-2025-68121) - [Go issue tracker](https://github.com/golang/go/issues) - [Docker Scout advisory](https://scout.docker.com/vulnerabilities/id/CVE-2025-68121) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
