Files

GitHub Actions e0a39518ba chore: migrate Docker base images from Alpine to Debian Trixie

Migrated all Docker stages from Alpine 3.23 to Debian Trixie (13) to
address critical CVE in Alpine's gosu package and improve security
update frequency.

Key changes:

Updated CADDY_IMAGE to debian:trixie-slim
Added gosu-builder stage to compile gosu 1.17 from source with Go 1.25.6
Migrated all builder stages to golang:1.25-trixie
Updated package manager from apk to apt-get
Updated user/group creation to use groupadd/useradd
Changed nologin path from /sbin/nologin to /usr/sbin/nologin
Security impact:

Resolved gosu Critical CVE (built from source eliminates vulnerable Go stdlib)
Reduced overall CVE count from 6 (bookworm) to 2 (trixie)
Remaining 2 CVEs are glibc-related with no upstream fix available
All Go binaries verified vulnerability-free by Trivy and govulncheck
Verification:

E2E tests: 243 passed (5 pre-existing failures unrelated to migration)
Backend coverage: 87.2%
Frontend coverage: 85.89%
Pre-commit hooks: 13/13 passed
TypeScript: 0 errors
Refs: CVE-2026-0861 (glibc, no upstream fix - accepted risk)

2026-01-20 06:11:59 +00:00

5.4 KiB

Raw Blame History

Gosu CVE Remediation Summary

Date: 2026-01-18

Overview

This document summarizes the security vulnerability remediation performed on the Charon Docker image, specifically addressing 22 HIGH/CRITICAL CVEs related to the Go stdlib embedded in the gosu package.

Root Cause Analysis

The Debian bookworm repository ships gosu version 1.14, which was compiled with Go 1.19.8. This old Go version contains numerous known vulnerabilities in the standard library that are embedded in the gosu binary.

Vulnerable Component

Package: gosu (Debian bookworm package)
Version: 1.14
Compiled with: Go 1.19.8
Binary location: /usr/sbin/gosu

CVEs Fixed (22 Total)

Critical Severity (7 CVEs)

CVE	Description	Fixed Version
CVE-2023-24531	Incorrect handling of permissions in the file system	Go 1.25+
CVE-2023-24540	Improper handling of HTML templates	Go 1.25+
CVE-2023-29402	Command injection via go:generate directives	Go 1.25+
CVE-2023-29404	Code execution via linker flags	Go 1.25+
CVE-2023-29405	Code execution via linker flags	Go 1.25+
CVE-2024-24790	net/netip ParseAddr panic	Go 1.25+
CVE-2025-22871	stdlib vulnerability	Go 1.25+

High Severity (15 CVEs)

CVE	Description	Fixed Version
CVE-2023-24539	HTML template vulnerability	Go 1.25+
CVE-2023-29400	HTML template vulnerability	Go 1.25+
CVE-2023-29403	Race condition in cgo	Go 1.25+
CVE-2023-39323	HTTP/2 RESET flood (incomplete fix)	Go 1.25+
CVE-2023-44487	HTTP/2 Rapid Reset Attack	Go 1.25+
CVE-2023-45285	cmd/go vulnerability	Go 1.25+
CVE-2023-45287	crypto/tls timing attack	Go 1.25+
CVE-2023-45288	HTTP/2 CONTINUATION flood	Go 1.25+
CVE-2024-24784	net/mail parsing vulnerability	Go 1.25+
CVE-2024-24791	net/http vulnerability	Go 1.25+
CVE-2024-34156	encoding/gob vulnerability	Go 1.25+
CVE-2024-34158	text/template vulnerability	Go 1.25+
CVE-2025-4674	stdlib vulnerability	Go 1.25+
CVE-2025-47907	stdlib vulnerability	Go 1.25+
CVE-2025-58187	stdlib vulnerability	Go 1.25+
CVE-2025-58188	stdlib vulnerability	Go 1.25+
CVE-2025-61723	stdlib vulnerability	Go 1.25+
CVE-2025-61725	stdlib vulnerability	Go 1.25+
CVE-2025-61729	stdlib vulnerability	Go 1.25+

Solution Implemented

Added a new gosu-builder stage to the Dockerfile that builds gosu from source using Go 1.25-bookworm, eliminating all Go stdlib CVEs.

Dockerfile Changes

# ---- Gosu Builder ----
# Build gosu from source to avoid CVEs from Debian's pre-compiled version (Go 1.19.8)
FROM --platform=$BUILDPLATFORM golang:1.25-bookworm AS gosu-builder
COPY --from=xx / /

WORKDIR /tmp/gosu

ARG TARGETPLATFORM
ARG TARGETOS
ARG TARGETARCH
# renovate: datasource=github-releases depName=tianon/gosu
ARG GOSU_VERSION=1.17

RUN apt-get update && apt-get install -y --no-install-recommends \
    git clang lld \
    && rm -rf /var/lib/apt/lists/*
RUN xx-apt install -y gcc libc6-dev

# Clone and build gosu from source with modern Go
RUN git clone --depth 1 --branch "${GOSU_VERSION}" https://github.com/tianon/gosu.git .

# Build gosu for target architecture with patched Go stdlib
RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
    CGO_ENABLED=0 xx-go build -v -ldflags '-s -w' -o /gosu-out/gosu . && \
    xx-verify /gosu-out/gosu

Runtime Stage Changes

Removed gosu from apt-get install and copied the custom-built binary:

# Copy gosu binary from gosu-builder (built with Go 1.25+ to avoid stdlib CVEs)
COPY --from=gosu-builder /gosu-out/gosu /usr/sbin/gosu
RUN chmod +x /usr/sbin/gosu

Verification

Before Fix

Total HIGH/CRITICAL CVEs: 34
Go stdlib CVEs from gosu: 22

After Fix

Total HIGH/CRITICAL CVEs: 6
Go stdlib CVEs from gosu: 0
Gosu version: 1.17 (go1.25.6 on linux/amd64; gc)

Remaining CVEs (Unfixable - Debian upstream)

The remaining 6 HIGH/CRITICAL CVEs are in Debian base image packages with wont-fix status:

CVE	Severity	Package	Version	Status
CVE-2023-2953	High	libldap-2.5-0	2.5.13+dfsg-5	wont-fix
CVE-2023-45853	Critical	zlib1g	1:1.2.13.dfsg-1	wont-fix
CVE-2025-13151	High	libtasn1-6	4.19.0-2+deb12u1	wont-fix
CVE-2025-6297	High	dpkg	1.21.22	wont-fix
CVE-2025-7458	Critical	libsqlite3-0	3.40.1-2+deb12u2	wont-fix
CVE-2026-0861	High	libc-bin	2.36-9+deb12u13	wont-fix

These CVEs cannot be fixed without upgrading to a newer Debian release (e.g., Debian 13 "Trixie") or switching to a different base image distribution.

Renovate Integration

The gosu version is tracked by Renovate via the comment:

# renovate: datasource=github-releases depName=tianon/gosu
ARG GOSU_VERSION=1.17

Files Modified

Dockerfile - Added gosu-builder stage and updated runtime stage

Conclusion

This remediation successfully eliminated 22 HIGH/CRITICAL CVEs by building gosu from source with a modern Go version. The approach follows the same pattern already used for CrowdSec and Caddy in this project, ensuring all Go binaries in the final image are compiled with Go 1.25+ and contain no vulnerable stdlib code.

5.4 KiB Raw Blame History