Skip to content

Commit 615e5a9

Browse files
committed
fix: downgrade pgx/v4 to v4.18.3 to address buffer overflow vulnerability
1 parent 5b85d18 commit 615e5a9

2 files changed

Lines changed: 39 additions & 2 deletions

File tree

Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -383,7 +383,7 @@ RUN go get github.com/expr-lang/expr@v${EXPR_LANG_VERSION} && \
383383
go get google.golang.org/grpc@v1.80.0 && \
384384
# CVE-2026-32286: pgproto3/v2 buffer overflow (no v2 fix exists; bump pgx/v4 to latest patch)
385385
# renovate: datasource=go depName=github.com/jackc/pgx/v4
386-
go get github.com/jackc/pgx/v4@v5.9.1 && \
386+
go get github.com/jackc/pgx/v4@v4.18.3 && \
387387
# GHSA-xmrv-pmrh-hhx2: AWS SDK v2 event stream injection
388388
# renovate: datasource=go depName=github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream
389389
go get github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream@v1.7.8 && \

docs/plans/current_spec.md

Lines changed: 38 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -360,7 +360,44 @@ The `pgproto3/v2` module has **no patched release** — the fix exists only in `
360360

361361
---
362362

363-
## 8. Commands Reference
363+
## 8. CI Failure Amendment: pgx/v4 Module Path Mismatch
364+
365+
**Date**: 2026-04-09
366+
**Failure**: PR #921 `build-and-push` job, step `crowdsec-builder 7/11`
367+
**Error**: `go: github.com/jackc/pgx/v4@v5.9.1: invalid version: go.mod has non-.../v4 module path "github.com/jackc/pgx/v5" (and .../v4/go.mod does not exist) at revision v5.9.1`
368+
369+
### Root Cause
370+
371+
Dockerfile line 386 specifies `go get github.com/jackc/pgx/v4@v5.9.1`. This mixes the v4 module path with a v5 version tag. Go's semantic import versioning rejects this because tag `v5.9.1` declares module path `github.com/jackc/pgx/v5` in its go.mod.
372+
373+
### Fix
374+
375+
**Dockerfile line 386** — change:
376+
```dockerfile
377+
go get github.com/jackc/pgx/v4@v5.9.1 && \
378+
```
379+
to:
380+
```dockerfile
381+
go get github.com/jackc/pgx/v4@v4.18.3 && \
382+
```
383+
384+
No changes needed to the Renovate annotation (line 385) or the CVE comment (line 384) — both are already correct.
385+
386+
### Why v4.18.3
387+
388+
- CrowdSec v1.7.7 uses `github.com/jackc/pgx/v4 v4.18.2` (direct dependency)
389+
- v4.18.3 is the latest and likely final v4 release
390+
- pgproto3/v2 is archived at v2.3.3 (July 2025) — no fix will be released in the v2 line
391+
- The CVE (pgproto3/v2 buffer overflow) can only be fully resolved by CrowdSec migrating to pgx/v5 upstream
392+
- Bumping pgx/v4 to v4.18.3 gets the latest v4 maintenance patch; the CVE remains an accepted risk per §5
393+
394+
### Validation
395+
396+
The same `docker build` that previously failed at step 7/11 should now pass through the CrowdSec dependency patching stage and proceed to compilation (steps 8-11).
397+
398+
---
399+
400+
## 9. Commands Reference
364401

365402
```bash
366403
# === Backend dependency upgrades ===

0 commit comments

Comments
 (0)