trust-pkg-debian-bookworm image contains Go stdlib vulnerabilities #868
Description
Summary
The trust-pkg-debian-bookworm image has Go stdlib vulnerabilities that can be resolved by rebuilding with the current build toolchain, which already uses Go 1.25.6.
Affected Image
quay.io/jetstack/trust-pkg-debian-bookworm:20230311-deb12u1.3
Vulnerabilities
| CVE | Severity | Description |
|---|---|---|
| CVE-2025-61726 | HIGH | net/url: Memory exhaustion in query parameter parsing |
| CVE-2025-61728 | HIGH | archive/zip: Excessive CPU consumption when building archive index |
| CVE-2025-61730 | MEDIUM | TLS 1.3 handshake issue |
All three are fixed in Go 1.25.6.
Trivy Scan Output
Report Summary
┌─────────────────────────────────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├─────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ quay.io/jetstack/trust-pkg-debian-bookworm:20230311-deb12u1.3 (alpine 3.21) │ alpine │ 0 │ - │
├─────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ ko-app/debian-bundle-static │ gobinary │ 3 │ - │
└─────────────────────────────────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
ko-app/debian-bundle-static (gobinary)
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2025-61726 │ HIGH │ fixed │ v1.25.5 │ 1.24.12, 1.25.6 │ golang: net/url: Memory exhaustion in query parameter │
│ │ │ │ │ │ │ parsing in net/url │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-61726 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-61728 │ │ │ │ │ golang: archive/zip: Excessive CPU consumption when building │
│ │ │ │ │ │ │ archive index in archive/zip │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-61728 │
│ ├────────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-61730 │ MEDIUM │ │ │ │ During the TLS 1.3 handshake if multiple messages are sent │
│ │ │ │ │ │ │ in records... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-61730 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘
Thank you!