chore(cves) Latest CVE fixes (alibi servers, python-builder and executor) images (#7047)

* Fix for `python-builder` image CVEs

* Pin urllib in the conda image to fix CVEs in alibi servers images

* Tweak worfklow to check alibi-servers

* Update oauth2 to 0.27.0 in executor

* Tweak images.yaml

* Return original `images` workflow

Author: tyndria

.github/workflows/images.yml

@@ -204,4 +204,3 @@ jobs:
           VERSION: ${{ steps.docker-tag.outputs.value }}
         run: |
           make docker-build docker-push
-

executor/go.mod

@@ -66,7 +66,7 @@ require (
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
 	golang.org/x/net v0.44.0 // indirect
-	golang.org/x/oauth2 v0.25.0 // indirect
+	golang.org/x/oauth2 v0.27.0 // indirect
 	golang.org/x/sys v0.36.0 // indirect
 	golang.org/x/term v0.35.0 // indirect
 	golang.org/x/text v0.29.0 // indirect

executor/go.sum

@@ -341,8 +341,8 @@ golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
-golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

python-builder/Dockerfile

@@ -24,7 +24,8 @@ RUN INSTALL_DIR=/tmp/flatc-install && \
 ENV PYTHON_VERSION="3.12.12"
 ENV CONDA_VERSION="25.3.1"
 # Pin brotli to 1.2.x to remediate GHSA-2qfp-q593-8484 (CVE-2025-6176)
-RUN conda install --yes -c conda-forge python=$PYTHON_VERSION conda=$CONDA_VERSION brotli=1.2
+# Pin urllib3 to 2.6.x to remediate CVE-2025-66418, CVE-2025-66471 
+RUN conda install --yes -c conda-forge python=$PYTHON_VERSION conda=$CONDA_VERSION brotli=1.2 urllib3=2.6
 
 # Install python dependencies
 RUN pip3 install --upgrade pip setuptools wheel && \

wrappers/s2i/python/Dockerfile.conda

@@ -17,14 +17,14 @@ RUN wget -O certifi-python-certifi.tar.gz \
     https://github.com/certifi/python-certifi/archive/master.tar.gz
 
 # Install Miniforge (BSD-3-Clause)
-# Fix vulnerabilities for brotli and h2
+# Fix vulnerabilities for brotli, h2, and urllib3
 # Fix vulnerability in pip(9CVE-2025-8869)
 ARG MINIFORGE_VERSION
 RUN wget https://github.com/conda-forge/miniforge/releases/download/${MINIFORGE_VERSION}/Miniforge3-${MINIFORGE_VERSION}-Linux-x86_64.sh -O ~/miniforge.sh && \
     /bin/bash ~/miniforge.sh -b -p /opt/conda && \
     rm ~/miniforge.sh && \
     /opt/conda/bin/conda init bash && \
-    /opt/conda/bin/conda install -c conda-forge "brotli>=1.2.0,<1.3.0" "h2>=4.3.0,<4.4.0" -y && \
+    /opt/conda/bin/conda install -c conda-forge "brotli>=1.2.0,<1.3.0" "h2>=4.3.0,<4.4.0" "urllib3>=2.6.0,<2.7.0" -y && \
     /opt/conda/bin/pip install "pip>=25.3,<26.0" && \
     /opt/conda/bin/conda clean -afy && \
     rm -rf /opt/conda/pkgs && \