cockroachdb
Patched Databases & Caching
from
mirror.gcr.io/cockroachdb/cockroach
Pull Reference
ghcr.io/verity-org/cockroachdb/cockroach
docker pull ghcr.io/verity-org/cockroachdb/cockroach
Copa-Patched Image
Patched in-place from the upstream image using Copa . OS-level vulnerabilities are fixed without rebuilding \u2014 same layers, same behavior, fewer CVEs.
Supply Chain
Full compliance details
Signed
SLSA L3
SBOM
Rekor
Verify this artifact
Cosign signature
cosign verify \ --certificate-identity-regexp "https://github.com/verity-org/verity/.github/workflows/" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ ghcr.io/verity-org/cockroachdb/cockroach:v25.4.6
Build provenance
gh attestation verify \ oci://ghcr.io/verity-org/cockroachdb/cockroach:v25.4.6 \ --owner verity-org
Vulnerability Scan
Found 101 vulnerabilit ies in the original image. 1 fixed by Copa. 100 remaining after patching.
1CRITICAL8HIGH45MEDIUM47LOW
Fix available — pending patch
These vulnerabilities have upstream fixes but could not be automatically patched.
| ID | Package | Installed | Fixed | Severity |
|---|---|---|---|---|
| CVE-2025-68121 | stdlib | v1.23.12 | 1.24.13, 1.25.7, 1.26.0-rc.3 | CRITICAL |
| CVE-2025-58183 | stdlib | v1.23.12 | 1.24.8, 1.25.2 | HIGH |
| CVE-2025-61726 | stdlib | v1.23.12 | 1.24.12, 1.25.6 | HIGH |
| CVE-2025-61728 | stdlib | v1.23.12 | 1.24.12, 1.25.6 | HIGH |
| CVE-2025-61729 | stdlib | v1.23.12 | 1.24.11, 1.25.5 | HIGH |
| CVE-2026-25679 | stdlib | v1.23.12 | 1.25.8, 1.26.1 | HIGH |
| CVE-2025-47912 | stdlib | v1.23.12 | 1.24.8, 1.25.2 | MEDIUM |
| CVE-2025-58185 | stdlib | v1.23.12 | 1.24.8, 1.25.2 | MEDIUM |
| CVE-2025-58186 | stdlib | v1.23.12 | 1.24.8, 1.25.2 | MEDIUM |
| CVE-2025-58187 | stdlib | v1.23.12 | 1.24.9, 1.25.3 | MEDIUM |
| CVE-2025-58188 | stdlib | v1.23.12 | 1.24.8, 1.25.2 | MEDIUM |
| CVE-2025-58189 | stdlib | v1.23.12 | 1.24.8, 1.25.2 | MEDIUM |
| CVE-2025-61723 | stdlib | v1.23.12 | 1.24.8, 1.25.2 | MEDIUM |
| CVE-2025-61724 | stdlib | v1.23.12 | 1.24.8, 1.25.2 | MEDIUM |
| CVE-2025-61725 | stdlib | v1.23.12 | 1.24.8, 1.25.2 | MEDIUM |
| CVE-2025-61727 | stdlib | v1.23.12 | 1.24.11, 1.25.5 | MEDIUM |
| CVE-2025-61730 | stdlib | v1.23.12 | 1.24.12, 1.25.6 | MEDIUM |
| CVE-2026-27142 | stdlib | v1.23.12 | 1.25.8, 1.26.1 | MEDIUM |
| CVE-2026-27139 | stdlib | v1.23.12 | 1.25.8, 1.26.1 | LOW |
Awaiting upstream fix
No fix is available yet for these vulnerabilities.
| ID | Package | Installed | Fixed | Severity |
|---|---|---|---|---|
| CVE-2026-4424 | libarchive | 3.5.3-7.el9_7 | HIGH | |
| CVE-2026-27135 | libnghttp2 | 1.43.0-6.el9 | HIGH | |
| CVE-2025-5278 | coreutils-single | 8.32-39.el9 | MEDIUM | |
| CVE-2025-14017 | curl-minimal | 7.76.1-35.el9_7.3 | MEDIUM | |
| CVE-2026-1965 | curl-minimal | 7.76.1-35.el9_7.3 | MEDIUM | |
| CVE-2026-3783 | curl-minimal | 7.76.1-35.el9_7.3 | MEDIUM | |
| CVE-2026-3784 | curl-minimal | 7.76.1-35.el9_7.3 | MEDIUM | |
| CVE-2026-3805 | curl-minimal | 7.76.1-35.el9_7.3 | MEDIUM | |
| CVE-2025-14087 | glib2 | 2.68.4-18.el9_7.1 | MEDIUM | |
| CVE-2025-14512 | glib2 | 2.68.4-18.el9_7.1 | MEDIUM | |
| CVE-2026-1484 | glib2 | 2.68.4-18.el9_7.1 | MEDIUM | |
| CVE-2026-1489 | glib2 | 2.68.4-18.el9_7.1 | MEDIUM | |
| CVE-2026-4437 | glibc | 2.34-231.el9_7.10 | MEDIUM | |
| CVE-2026-4437 | glibc-common | 2.34-231.el9_7.10 | MEDIUM | |
| CVE-2026-4437 | glibc-minimal-langpack | 2.34-231.el9_7.10 | MEDIUM | |
| CVE-2025-68972 | gnupg2 | 2.3.3-5.el9_7 | MEDIUM | |
| CVE-2023-30571 | libarchive | 3.5.3-7.el9_7 | MEDIUM | |
| CVE-2025-60753 | libarchive | 3.5.3-7.el9_7 | MEDIUM | |
| CVE-2026-4426 | libarchive | 3.5.3-7.el9_7 | MEDIUM | |
| CVE-2026-5121 | libarchive | 3.5.3-7.el9_7 | MEDIUM | |
| CVE-2025-14017 | libcurl-minimal | 7.76.1-35.el9_7.3 | MEDIUM | |
| CVE-2026-1965 | libcurl-minimal | 7.76.1-35.el9_7.3 | MEDIUM | |
| CVE-2026-3783 | libcurl-minimal | 7.76.1-35.el9_7.3 | MEDIUM | |
| CVE-2026-3784 | libcurl-minimal | 7.76.1-35.el9_7.3 | MEDIUM | |
| CVE-2026-3805 | libcurl-minimal | 7.76.1-35.el9_7.3 | MEDIUM | |
| CVE-2026-0990 | libxml2 | 2.9.13-14.el9_7 | MEDIUM | |
| CVE-2026-1757 | libxml2 | 2.9.13-14.el9_7 | MEDIUM | |
| CVE-2026-22185 | openldap | 2.6.8-4.el9 | MEDIUM | |
| CVE-2026-2100 | p11-kit | 0.25.3-3.el9_5 | MEDIUM | |
| CVE-2026-2100 | p11-kit-trust | 0.25.3-3.el9_5 | MEDIUM | |
| CVE-2026-29111 | systemd-libs | 252-55.el9_7.7 | MEDIUM | |
| CVE-2026-4105 | systemd-libs | 252-55.el9_7.7 | MEDIUM | |
| CVE-2005-2541 | tar | 2:1.34-9.el9_7 | MEDIUM | |
| CVE-2025-64118 | tar | 2:1.34-9.el9_7 | MEDIUM | |
| CVE-2026-33056 | tar | 2:1.34-9.el9_7 | MEDIUM | |
| CVE-2024-11053 | curl-minimal | 7.76.1-35.el9_7.3 | LOW | |
| CVE-2024-7264 | curl-minimal | 7.76.1-35.el9_7.3 | LOW | |
| CVE-2024-9681 | curl-minimal | 7.76.1-35.el9_7.3 | LOW | |
| CVE-2023-4156 | gawk | 5.1.0-6.el9 | LOW | |
| CVE-2023-32636 | glib2 | 2.68.4-18.el9_7.1 | LOW | |
| CVE-2025-3360 | glib2 | 2.68.4-18.el9_7.1 | LOW | |
| CVE-2025-7039 | glib2 | 2.68.4-18.el9_7.1 | LOW | |
| CVE-2026-0988 | glib2 | 2.68.4-18.el9_7.1 | LOW | |
| CVE-2026-1485 | glib2 | 2.68.4-18.el9_7.1 | LOW | |
| CVE-2026-4438 | glibc | 2.34-231.el9_7.10 | LOW | |
| CVE-2026-4438 | glibc-common | 2.34-231.el9_7.10 | LOW | |
| CVE-2026-4438 | glibc-minimal-langpack | 2.34-231.el9_7.10 | LOW | |
| CVE-2022-3219 | gnupg2 | 2.3.3-5.el9_7 | LOW | |
| CVE-2025-30258 | gnupg2 | 2.3.3-5.el9_7 | LOW | |
| CVE-2026-24883 | gnupg2 | 2.3.3-5.el9_7 | LOW | |
| CVE-2025-1632 | libarchive | 3.5.3-7.el9_7 | LOW | |
| CVE-2025-5915 | libarchive | 3.5.3-7.el9_7 | LOW | |
| CVE-2025-5916 | libarchive | 3.5.3-7.el9_7 | LOW | |
| CVE-2025-5917 | libarchive | 3.5.3-7.el9_7 | LOW | |
| CVE-2025-5918 | libarchive | 3.5.3-7.el9_7 | LOW | |
| CVE-2024-11053 | libcurl-minimal | 7.76.1-35.el9_7.3 | LOW | |
| CVE-2024-7264 | libcurl-minimal | 7.76.1-35.el9_7.3 | LOW | |
| CVE-2024-9681 | libcurl-minimal | 7.76.1-35.el9_7.3 | LOW | |
| CVE-2022-27943 | libgcc | 11.5.0-11.el9 | LOW | |
| CVE-2022-27943 | libstdc++ | 11.5.0-11.el9 | LOW | |
| CVE-2025-13151 | libtasn1 | 4.16.0-9.el9 | LOW | |
| CVE-2023-45322 | libxml2 | 2.9.13-14.el9_7 | LOW | |
| CVE-2024-34459 | libxml2 | 2.9.13-14.el9_7 | LOW | |
| CVE-2025-27113 | libxml2 | 2.9.13-14.el9_7 | LOW | |
| CVE-2025-6170 | libxml2 | 2.9.13-14.el9_7 | LOW | |
| CVE-2026-0989 | libxml2 | 2.9.13-14.el9_7 | LOW | |
| CVE-2026-0992 | libxml2 | 2.9.13-14.el9_7 | LOW | |
| CVE-2023-50495 | ncurses-base | 6.2-12.20210508.el9 | LOW | |
| CVE-2023-50495 | ncurses-libs | 6.2-12.20210508.el9 | LOW | |
| CVE-2026-2673 | openssl-fips-provider | 3.0.7-8.el9 | LOW | |
| CVE-2026-2673 | openssl-fips-provider-so | 3.0.7-8.el9 | LOW | |
| CVE-2024-13176 | openssl-libs | 1:3.5.1-7.el9_7 | LOW | |
| CVE-2024-41996 | openssl-libs | 1:3.5.1-7.el9_7 | LOW | |
| CVE-2025-9232 | openssl-libs | 1:3.5.1-7.el9_7 | LOW | |
| CVE-2026-2673 | openssl-libs | 1:3.5.1-7.el9_7 | LOW | |
| CVE-2022-41409 | pcre2 | 10.40-6.el9 | LOW | |
| CVE-2022-41409 | pcre2-syntax | 10.40-6.el9 | LOW | |
| CVE-2024-0232 | sqlite-libs | 3.34.1-9.el9_7 | LOW | |
| CVE-2025-70873 | sqlite-libs | 3.34.1-9.el9_7 | LOW | |
| CVE-2023-39804 | tar | 2:1.34-9.el9_7 | LOW | |
| CVE-2026-27171 | zlib | 1.2.11-40.el9 | LOW |
Source
Copa (in-place patch)
Platforms
linux/amd64, linux/arm64
Registry
ghcr.io/verity-org
Upstream
mirror.gcr.io/cockroachdb/cockroach