Request for base image update to address multiple critical vulnerabilities in wodby/php:8.5

[dhaley]

Hi Wodby team,

We use the wodby/php:8.5 image in production environments.

There are multiple critical and high-severity vulnerabilities in the current version affecting PostgreSQL 18.1, Go stdlib 1.25.4, and golang.org/x/net v0.38.0:

Critical Severity:

• CVE-2025-68121 (CVSS 10.0) - TLS session resumption vulnerability in crypto/tls that may succeed when it should have failed
  • Package: go/stdlib
  • Installed version: 1.25.4
  • Fixed version: 1.26.0-rc.3
  • Exploit available: YES
  • Reference: https://groups.google.com/g/golang-announce/c/K09ubi9FQFk

High Severity:

• CVE-2026-2004 (CVSS 8.8) - Missing validation in PostgreSQL intarray extension allows arbitrary code execution

  • Package: postgresql18
  • Installed version: 18.1-r0
  • Fixed version: 18.2-r0
  • Exploit available: YES
  • Reference: https://www.postgresql.org/support/security/CVE-2026-2004/

• CVE-2026-2005 (CVSS 8.8) - Heap buffer overflow in PostgreSQL pgcrypto allows arbitrary code execution

  • Package: postgresql18
  • Installed version: 18.1-r0
  • Fixed version: 18.2-r0
  • Reference: https://www.postgresql.org/support/security/CVE-2026-2005/

• CVE-2026-2006 (CVSS 8.8) - Missing validation in PostgreSQL text manipulation allows buffer overrun

  • Package: postgresql18
  • Installed version: 18.1-r0
  • Fixed version: 18.2-r0
  • Reference: https://www.postgresql.org/support/security/CVE-2026-2006/

• CVE-2026-2007 (CVSS 8.2) - Heap buffer overflow in PostgreSQL pg_trgm extension

  • Package: postgresql18
  • Installed version: 18.1-r0
  • Fixed version: 18.2-r0
  • Reference: https://www.postgresql.org/support/security/CVE-2026-2007/

• CVE-2025-61726 (CVSS 7.5) - Excessive memory consumption in net/url query parameter parsing

  • Package: go/stdlib
  • Installed version: 1.25.4
  • Fixed version: 1.25.6
  • Reference: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

• CVE-2025-61729 (CVSS 7.5) - Excessive resource consumption in crypto/x509 HostnameError

  • Package: go/stdlib
  • Installed version: 1.25.4
  • Fixed version: 1.25.5
  • Reference: https://groups.google.com/g/golang-announce/c/8FJoBkPddm4

Medium Severity:

• CVE-2025-61727 (CVSS 6.5) - Wildcard SAN certificate constraint bypass in crypto/x509

  • Package: go/stdlib
  • Installed version: 1.25.4
  • Fixed version: 1.25.5

• CVE-2025-61728 (CVSS 6.5) - DoS via malicious ZIP archive in archive/zip

  • Package: go/stdlib
  • Installed version: 1.25.4
  • Fixed version: 1.25.6

• CVE-2025-61730 (CVSS 5.3) - Information disclosure in TLS 1.3 handshake

  • Package: go/stdlib
  • Installed version: 1.25.4
  • Fixed version: 1.25.6

• CVE-2025-58190 (CVSS 5.3) - Infinite parsing loop in golang.org/x/net/html

  • Package: golang.org/x/net
  • Installed version: v0.38.0
  • Fixed version: 0.45.0
  • Exploit available: YES
  • Reference: https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c

• CVE-2025-47911 (CVSS 5.3) - Quadratic parsing complexity in golang.org/x/net/html

  • Package: golang.org/x/net
  • Installed version: v0.38.0
  • Fixed version: 0.45.0
  • Exploit available: YES
  • Reference: https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c

• CVE-2026-2003 (CVSS 4.3) - Improper validation of type "oidvector" in PostgreSQL

  • Package: postgresql18
  • Installed version: 18.1-r0
  • Fixed version: 18.2-r0
  • Reference: https://www.postgresql.org/support/security/CVE-2026-2003/

Recommended Actions:

1. Update PostgreSQL 18 to version 18.2-r0 or later
2. Update Go stdlib to version 1.26.0-rc.3 or later (which will also resolve the 1.25.5 and 1.25.6 requirements)
3. Update golang.org/x/net to version 0.45.0 or later

Thanks so much for maintaining this project!

Damon