security: update pgedge 4.0.10-4 image

jason-lynch · jason-lynch · commit 81ba00f26ec7 · 2025-06-02T14:20:21.000-04:00
- Updates the Postgres release versions for Postgres 16 and 17
- Changes the Patroni installation method from `dnf` to `pip` to resolve
  several High and Medium CVEs
diff --git a/changes/unreleased/Security-20250602-142004.yaml b/changes/unreleased/Security-20250602-142004.yaml
@@ -0,0 +1,3 @@
+kind: Security
+body: Updated `pgedge` images to 4.0.10-4
+time: 2025-06-02T14:20:04.481947-04:00
diff --git a/docker/pgedge/CHANGELOG.md b/docker/pgedge/CHANGELOG.md
@@ -12,11 +12,18 @@
 
 #### pg16 variant
 
-- Upgraded to PostgreSQL 16.9-1
+- Upgraded to PostgreSQL 16.9-2
 
 #### pg17 variant
 
-- Upgraded to PostgreSQL 17.5-1
+- Upgraded to PostgreSQL 17.5-2
+
+#### All variants
+
+- Install Patroni from `pip` instead of with system package manager
+  - The system package manager provides outdated Python dependencies that
+    contain several Medium and High CVEs. Installing from `pip` gives us the
+    latest compatible package versions and resolves the CVEs.
 
 ## [4.0.10-3] - 2025-03-20
 
diff --git a/docker/pgedge/Dockerfile b/docker/pgedge/Dockerfile
@@ -27,7 +27,7 @@ dnf install -y epel-release dnf
 dnf config-manager --set-enabled crb
 dnf update -y --allowerasing
 xargs dnf install -y < /usr/share/pgedge/packages.txt
-pip install 'python-json-logger==3.2.1'
+pip install 'patroni[etcd,jsonlogger]==4.0.5'
 dnf remove -y python3-pip
 dnf clean all
 
@@ -38,4 +38,4 @@ USER postgres
 ENV PG_MAJOR=${POSTGRES_VERSION}
 ENV PATH=$PATH:/usr/pgsql-${POSTGRES_VERSION}/bin
 
-ENTRYPOINT ["/usr/bin/patroni"]
+ENTRYPOINT ["/usr/local/bin/patroni"]
diff --git a/docker/pgedge/packagelists/pg15_4.0.10-4.txt b/docker/pgedge/packagelists/pg15_4.0.10-4.txt
@@ -4,7 +4,6 @@ snowflake_15-2.2-1PGDG.rhel9
 lolor_15-1.2-1PGDG.rhel9
 postgis35_15-3.5.2-1PGDG.rhel9
 pgvector_15-0.8.0-1PGDG.rhel9
+pgbackrest-2.55.1-1PGDG.rhel9
 python3-pip-21.3.1-1.el9
-patroni-4.0.5-1PGDG.rhel9
-patroni-etcd-4.0.5-1PGDG.rhel9
-pgbackrest-2.54.2-1PGDG.rhel9
+python3-psycopg2-2.9.10-1PGDG.rhel9
diff --git a/docker/pgedge/packagelists/pg16_4.0.10-4.txt b/docker/pgedge/packagelists/pg16_4.0.10-4.txt
@@ -1,10 +1,9 @@
-postgresql16-server-16.9-1PGDG.rhel9
+postgresql16-server-16.9-2PGDG.rhel9
 spock_16-4.0.10-1PGDG.rhel9
 snowflake_16-2.2-1PGDG.rhel9
 lolor_16-1.2-1PGDG.rhel9
 postgis35_16-3.5.2-1PGDG.rhel9
 pgvector_16-0.8.0-1PGDG.rhel9
+pgbackrest-2.55.1-1PGDG.rhel9
 python3-pip-21.3.1-1.el9
-patroni-4.0.5-1PGDG.rhel9
-patroni-etcd-4.0.5-1PGDG.rhel9
-pgbackrest-2.54.2-1PGDG.rhel9
+python3-psycopg2-2.9.10-1PGDG.rhel9
diff --git a/docker/pgedge/packagelists/pg17_4.0.10-4.txt b/docker/pgedge/packagelists/pg17_4.0.10-4.txt
@@ -1,10 +1,9 @@
-postgresql17-server-17.5-1PGDG.rhel9
+postgresql17-server-17.5-2PGDG.rhel9
 spock_17-4.0.10-1PGDG.rhel9
 snowflake_17-2.2-1PGDG.rhel9
 lolor_17-1.2-1PGDG.rhel9
-postgis35_17-3.5.2-1PGDG.rhel9
+postgis35_17-3.5.3-1PGDG.rhel9
 pgvector_17-0.8.0-1PGDG.rhel9
+pgbackrest-2.55.1-1PGDG.rhel9
 python3-pip-21.3.1-1.el9
-patroni-4.0.5-1PGDG.rhel9
-patroni-etcd-4.0.5-1PGDG.rhel9
-pgbackrest-2.54.2-1PGDG.rhel9
+python3-psycopg2-2.9.10-1PGDG.rhel9

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+kind: Security`
	`2`	+body: Updated `pgedge` images to 4.0.10-4
	`3`	`+time: 2025-06-02T14:20:04.481947-04:00`