fix(security): upgrade libgcrypt20 to patch CVE-2026-41989#116
Merged
Conversation
schubydoo
force-pushed
the
fix/libgcrypt-cve-2026-41989
branch
from
732b0b4 to
8490996
Compare
The pinned python:3.14-slim-bookworm base ships libgcrypt20 1.10.1-3, which Trivy flags for CVE-2026-41989 (heap overflow / DoS via crafted ECDH ciphertext to gcry_pk_decrypt). bookworm-security carries the fix as 1.10.1-3+deb12u1 (DSA-6294-1). Add libgcrypt20 to the existing `--only-upgrade` apt line in the slim stage, mirroring the libgnutls30 pattern: no exact pin, so it always moves forward and becomes a harmless no-op once the base catches up. The remaining 7 open code-scanning alerts are transitive Go deps of the bundled syft binary (go-git, go-billy, containerd). Their fixes are merged on syft's main but unreleased — v1.44.0, the latest tag, still pins the vulnerable versions. We build via `go install ...@vX.Y.Z`, so we can't override transitive deps; they resolve once syft cuts a release >v1.44.0 (Renovate already auto-tracks SYFT_VERSION). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
schubydoo
force-pushed
the
fix/libgcrypt-cve-2026-41989
branch
from
8490996 to
9b7fa0a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds
libgcrypt20to the existing--only-upgradeapt line in theslimstage so the image picks up the bookworm-security fix for CVE-2026-41989.Why
The pinned
python:3.14-slim-bookwormbase shipslibgcrypt201.10.1-3, which Trivy flags for CVE-2026-41989 — a heap-based buffer overflow / DoS via crafted ECDH ciphertext togcry_pk_decrypt. bookworm-security carries the patch as1.10.1-3+deb12u1(DSA-6294-1), but the base image lags the security archive.This mirrors the
libgnutls30pattern already in place: no exact version pin, so--only-upgradealways moves forward and becomes a harmless no-op once the base catches up (no downgrade-induced build failures).Scope — what this does not fix
This closes 1 of 8 open code-scanning alerts. The other 7 are transitive Go dependencies of the bundled
syftbinary:Their fixes (
go-billy5.9.0,go-git5.19.1,containerd2.3.1) are already merged on syft'smainbut unreleased —v1.44.0, the latest tag, still pins the vulnerable versions. Because we build viago install github.com/anchore/syft/cmd/syft@${SYFT_VERSION}, we can't override transitive deps; they resolve automatically once syft cuts a release>v1.44.0. Renovate already auto-tracksSYFT_VERSION, so no manual action is needed there.🤖 Generated with Claude Code