Hello,
It seems that latest versions of PostgreSQL images were produced with previous trixie 13.4. Hence trivy scanner flagged them as having vulnerabilities. Here is example of report for latest image of 18.4
Report Summary
┌─────────────────────────────────────────────────────────────────────────────┬────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├─────────────────────────────────────────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ ghcr.io/cloudnative-pg/postgresql:18.4-202605180839-standard-trixie (debian │ debian │ 2 │ - │
│ 13.4) │ │ │ │
├─────────────────────────────────────────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ /etc/ssl/private/ssl-cert-snakeoil.key │ text │ - │ 0 │
└─────────────────────────────────────────────────────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
ghcr.io/cloudnative-pg/postgresql:18.4-202605180839-standard-trixie (debian 13.4)
=================================================================================
Total: 2 (CRITICAL: 2)
┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ libgnutls30t64 │ CVE-2026-33845 │ CRITICAL │ fixed │ 3.8.9-3+deb13u3 │ 3.8.9-3+deb13u4 │ gnutls: GnuTLS: Denial of Service via DTLS zero-length │
│ │ │ │ │ │ │ fragment │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-33845 │
│ ├────────────────┤ │ │ │ ├────────────────────────────────────────────────────────────┤
│ │ CVE-2026-42010 │ │ │ │ │ gnutls: gnutls: Authentication Bypass via NUL Character in │
│ │ │ │ │ │ │ Username │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-42010 │
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
I guess it is linked to recent release of trixie 13.4, which is not updated in the artifact build pipeline.
Would it be possible to rebuild recent artifacts with updated Debian version?
Best regards,
Boris
Hello,
It seems that latest versions of PostgreSQL images were produced with previous trixie 13.4. Hence
trivyscanner flagged them as having vulnerabilities. Here is example of report for latest image of 18.4I guess it is linked to recent release of trixie 13.4, which is not updated in the artifact build pipeline.
Would it be possible to rebuild recent artifacts with updated Debian version?
Best regards,
Boris