From 8baed60961a619317c94ab8cfa8fffdbc174c10e Mon Sep 17 00:00:00 2001 From: John Myers <9696606+johntmyers@users.noreply.github.com> Date: Thu, 2 Apr 2026 09:33:41 -0700 Subject: [PATCH] fix(security): bump container dependencies to remediate 10 CVEs - k3s v1.35.2-k3s1 -> v1.35.3-k3s1 (containerd v2.2.2, runc v1.4.1, Go 1.25.7) - Docker CLI 29.3.0 -> 29.3.1 (Go 1.25.8, containerd v2.2.2) - syft 1.42.2 -> 1.42.3 (bumps buger/jsonparser) - Explicit gpgv and python3 upgrades in all container images Addresses: GHSA-p77j-4mvh-x3m3 (Critical), GHSA-pwhc-rpq9-4c8w, GHSA-p436-gjf2-799p, GHSA-9h8m-3fm2-qjrq, GHSA-6v2p-p543-phr9, GHSA-6g7g-w4f8-9c9x, GHSA-4qg8-fj49-pxjh, CVE-2026-4519, CVE-2025-68973, CVE-2024-36623 Closes #735 --- deploy/docker/Dockerfile.ci | 3 ++- deploy/docker/Dockerfile.images | 9 ++++++--- mise.toml | 2 +- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/deploy/docker/Dockerfile.ci b/deploy/docker/Dockerfile.ci index 4ab01cebe..b87962b7e 100644 --- a/deploy/docker/Dockerfile.ci +++ b/deploy/docker/Dockerfile.ci @@ -8,7 +8,7 @@ FROM nvcr.io/nvidia/base/ubuntu:noble-20251013 -ARG DOCKER_VERSION=29.3.0 +ARG DOCKER_VERSION=29.3.1 ARG BUILDX_VERSION=v0.32.1 ARG TARGETARCH @@ -34,6 +34,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ xz-utils \ jq \ rsync \ + && apt-get install -y --only-upgrade gpgv python3 \ && rm -rf /var/lib/apt/lists/* # Install Docker CLI and buildx plugin used by CI jobs diff --git a/deploy/docker/Dockerfile.images b/deploy/docker/Dockerfile.images index af17b9b0a..d078429df 100644 --- a/deploy/docker/Dockerfile.images +++ b/deploy/docker/Dockerfile.images @@ -15,8 +15,8 @@ # Pin by tag AND manifest-list digest to prevent silent upstream republishes # from breaking the build. Update both when bumping k3s versions. # To refresh: docker buildx imagetools inspect rancher/k3s: | head -3 -ARG K3S_VERSION=v1.35.2-k3s1 -ARG K3S_DIGEST=sha256:c3184157c3048112bab0c3e17405991da486cb3413511eba23f7650efd70776b +ARG K3S_VERSION=v1.35.3-k3s1 +ARG K3S_DIGEST=sha256:4607083d3cac07e1ccde7317297271d13ed5f60f35a78f33fcef84858a9f1d69 ARG K9S_VERSION=v0.50.18 ARG HELM_VERSION=v3.17.3 ARG NVIDIA_CONTAINER_TOOLKIT_VERSION=1.18.2-1 @@ -165,7 +165,9 @@ COPY --from=supervisor-builder /build/out/openshell-sandbox /openshell-sandbox FROM nvcr.io/nvidia/base/ubuntu:noble-20251013 AS gateway RUN apt-get update && apt-get install -y --no-install-recommends \ - ca-certificates && rm -rf /var/lib/apt/lists/* + ca-certificates && \ + apt-get install -y --only-upgrade gpgv && \ + rm -rf /var/lib/apt/lists/* RUN useradd --create-home --user-group openshell @@ -230,6 +232,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ iptables \ mount \ dnsutils \ + && apt-get install -y --only-upgrade gpgv \ && rm -rf /var/lib/apt/lists/* COPY --from=k3s /bin/ /bin/ diff --git a/mise.toml b/mise.toml index d204f5316..4bcb4e072 100644 --- a/mise.toml +++ b/mise.toml @@ -20,7 +20,7 @@ uv = "0.10.2" protoc = "29.6" helm = "4.1.1" "ubi:mozilla/sccache" = { version = "0.14.0", matching = "sccache-v" } -"ubi:anchore/syft" = { version = "1.42.2", matching = "syft_" } +"ubi:anchore/syft" = { version = "1.42.3", matching = "syft_" } "ubi:EmbarkStudios/cargo-about" = "0.8.4" [env]