From 9b7fa0a8b7b11138f1aa1af713beecee488f8828 Mon Sep 17 00:00:00 2001 From: Schuby <12485317+schubydoo@users.noreply.github.com> Date: Sun, 31 May 2026 20:45:14 -0700 Subject: [PATCH] fix(security): upgrade libgcrypt20 to patch CVE-2026-41989 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The pinned python:3.14-slim-bookworm base ships libgcrypt20 1.10.1-3, which Trivy flags for CVE-2026-41989 (heap overflow / DoS via crafted ECDH ciphertext to gcry_pk_decrypt). bookworm-security carries the fix as 1.10.1-3+deb12u1 (DSA-6294-1). Add libgcrypt20 to the existing `--only-upgrade` apt line in the slim stage, mirroring the libgnutls30 pattern: no exact pin, so it always moves forward and becomes a harmless no-op once the base catches up. The remaining 7 open code-scanning alerts are transitive Go deps of the bundled syft binary (go-git, go-billy, containerd). Their fixes are merged on syft's main but unreleased — v1.44.0, the latest tag, still pins the vulnerable versions. We build via `go install ...@vX.Y.Z`, so we can't override transitive deps; they resolve once syft cuts a release >v1.44.0 (Renovate already auto-tracks SYFT_VERSION). Co-Authored-By: Claude Opus 4.8 --- Dockerfile | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8526e28..d76542f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -72,12 +72,16 @@ RUN set -eux; \ # - `dockerize --output-oci PATH` → write a portable OCI image archive. # Published as `:slim` and `:X.Y[.Z]-slim`. # -# Why the libgnutls upgrade: the pinned base lags Debian's security archive (it -# ships 3.7.9-2+deb12u6; deb12u7 fixes the GnuTLS CVE batch — CVE-2026-33845, -# CVE-2026-42010, and others). `--only-upgrade` (no exact pin) always moves -# forward, so it is a harmless no-op once the base catches up — unlike a pinned -# `=deb12u7`, which would fail the build by implying a downgrade. Drop it once -# the base no longer lags. +# Why the apt upgrades: the pinned base lags Debian's security archive, so we +# pull forward specific patched libs the scanners flag: +# - libgnutls30: base ships 3.7.9-2+deb12u6; deb12u7 fixes the GnuTLS CVE +# batch — CVE-2026-33845, CVE-2026-42010, and others. +# - libgcrypt20: base ships 1.10.1-3; 1.10.1-3+deb12u1 (DSA-6294-1) fixes +# CVE-2026-41989, a heap overflow / DoS via crafted ECDH ciphertext to +# gcry_pk_decrypt. +# `--only-upgrade` (no exact pin) always moves forward, so each is a harmless +# no-op once the base catches up — unlike a pinned `=deb12u7`, which would fail +# the build by implying a downgrade. Drop a package once the base no longer lags. # ----------------------------------------------------------------------------- FROM python:3.14-slim-bookworm@sha256:a9bee15510a364124aa24692899d269835683b883de42f7ebec8c293cf679ccb AS slim @@ -88,7 +92,7 @@ ENV PYTHONDONTWRITEBYTECODE=1 \ RUN set -eux; \ apt-get update; \ - apt-get install --no-install-recommends -y --only-upgrade libgnutls30; \ + apt-get install --no-install-recommends -y --only-upgrade libgnutls30 libgcrypt20; \ rm -rf /var/lib/apt/lists/* COPY --from=builder /src/dist/*.whl /tmp/