Bust Docker layer cache to fix CVE-2025-68973 (gpgv)

[willyguggenheim]

Summary

• Add a one-time cache-bust to force apt-get update && apt-get upgrade to run on the next build, picking up the gpgv fix (2.4.4-2ubuntu17.3 → 2.4.4-2ubuntu17.4)

Motivation

The published fusionauth/fusionauth-app:latest image on Docker Hub has gpgv 2.4.4-2ubuntu17.3 which is affected by:

• CVE-2025-68973 (HIGH) - Information disclosure and potential arbitrary code execution via out-of-bounds write in GnuPG

The Dockerfile already has apt-get -y upgrade but Docker layer caching prevents it from running. This one-line change invalidates the cached layer.

Additional note

Trivy also reports two HIGH findings in lz4-java 1.8.0 (CVE-2025-12183 and CVE-2025-66566) bundled in the FusionAuth app zip from files.fusionauth.io. These require updating the lz4-java dependency in the FusionAuth app build, which is outside the scope of this Dockerfile.

Change

-RUN apt-get update \
+RUN echo "cache-bust-2026-02-06-CVE-2025-68973" > /dev/null \
+    && apt-get update \

Test plan

• Confirmed fusionauth/fusionauth-app:latest on Docker Hub has CVE-2025-68973 via trivy scan
• Built locally with --build-arg FUSIONAUTH_VERSION=1.62.1 --no-cache
• Trivy scan confirms gpgv CVE-2025-68973 is resolved (0 OS-level HIGH/CRITICAL)
• Only remaining findings are lz4-java CVEs in the FusionAuth app artifact (not fixable in Dockerfile)