spilo icon indicating copy to clipboard operation
spilo copied to clipboard

Published 20 hours ago verified publisher icon zalando

Update spilo image to resolve some vulnerabilities

Open nanory opened this issue 1 year ago • 3 comments

The last official release of the spilo image is already more than 10 months old: https://github.com/zalando/spilo/releases/tag/3.0-p1

Are there any plans to update the spilo image in order to reduce some of the vulnerabilities that are caused by the installed packages and their age?

nanory avatar Jan 19 '24 11:01 nanory

The following comment might be the reason why it hasn't been updated for a while: https://github.com/zalando/spilo/issues/939#issuecomment-1794554874

nanory avatar Jan 19 '24 11:01 nanory

There has actually been a 3.1-p1 release that is more recent and fixes a lot of vulnerabilities, however it is not shown on the releases page (see https://github.com/zalando/spilo/issues/960).

It is true however that it would be better to have more frequent releases of the image. Seeing how they are built, even based on the same commit that would be enough to expose and distribute fixes for the applications and tools that are included in the image.

klehelley avatar Feb 02 '24 15:02 klehelley

To save people who are using the postgres-operator from some headaches, do not run 3.1-p1 with the latest released version of the operator. In that image, the patroni version, introduced changes which makes failover iffy.

  • https://github.com/zalando/postgres-operator/pull/2515

OlleLarsson avatar Feb 16 '24 09:02 OlleLarsson

ghcr.io/zalando/spilo-15:3.2-p1 is available (along with ghcr.io/zalando/spilo-16:3.2-p2)

hughcapet avatar Mar 07 '24 14:03 hughcapet