fix: remediate CVE-2026-24051 (otel/sdk) - upgrade base image and buildx binary#91
Open
morose9816 wants to merge 1 commit intodrone-plugins:masterfrom
Open
Conversation
Upgrades both linux/amd64 and linux/arm64 Dockerfiles: - docker base image: 28.1.1-dind -> 29.2.1-dind - docker/buildx binary: v0.23.0 -> v0.31.1 The vulnerable package go.opentelemetry.io/otel/sdk@v1.31.0 is bundled inside the docker/buildx binary. Upgrading to buildx v0.31.1 advances otel/sdk from v1.31.0 to v1.38.0. Note: full remediation to otel/sdk >= v1.40.0 (the stated fix version for CVE-2026-24051) is blocked upstream — no docker/buildx release through v0.32.1 ships otel/sdk v1.40.0+. A follow-up ticket should be created to re-evaluate once docker/buildx publishes a release that pulls in otel/sdk >= v1.40.0. Scan: vinayakharness/buildx-test:linux-amd64 (execution 0sihybi9TmKn63WWDi7mBg) Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Vulnerability Remediation: CVE-2026-24051
Summary
go.opentelemetry.io/otel/sdk >= v1.21.0, < v1.40.0plugins/buildx:1.3.13vinayakharness/buildx-test:linux-amd64jJYUVc5H6Ept1b8nrxUA4QRoot Cause
The vulnerable
go.opentelemetry.io/otel/sdk@v1.31.0was bundled inside thedocker/buildxbinary downloaded at image build time (v0.23.0). The plugin's owngo.moddoes not directly depend on otel.Changes
docker/docker/Dockerfile.linux.amd64FROM docker:28.1.1-dind→FROM docker:29.2.1-dindbuildx-v0.23.0→buildx-v0.31.1docker/docker/Dockerfile.linux.arm64FROM arm64v8/docker:28.1.1-dind→FROM arm64v8/docker:29.2.1-dindbuildx-v0.23.0.linux-arm64→buildx-v0.31.1.linux-arm64Vulnerability Delta
go.opentelemetry.io/otel/sdk(via buildx binary)Upstream Blocker — Follow-up Required
The full fix for CVE-2026-24051 requires
otel/sdk >= v1.40.0. As of 2026-03-05, no released version ofdocker/buildx(checked through v0.32.1) shipsotel/sdk >= v1.40.0— all current releases cap at v1.38.0.This PR delivers the best available fix (v1.31.0 → v1.38.0). A follow-up ticket should be created to upgrade
buildxagain oncedocker/buildxpublishes a release that pulls inotel/sdk >= v1.40.0. Track the upstream issue at: https://osv.dev/vulnerability/GHSA-9h8m-3fm2-qjrqScan Evidence
vinayakharness/buildx-test:linux-amd64jJYUVc5H6Ept1b8nrxUA4QNote on CVE-2026-24051 findings in the scan report
The scan report contains two
go.opentelemetry.io/otel/sdkCVE-2026-24051 findings, but neither originates from our image layers:otel/sdk@v1.37.0/app/dbserviceCOPY /app/bin/dbservice .otel/sdk@v1.38.0/usr/local/bin/wizcliThe
docker/buildxbinary at/root/.docker/cli-plugins/docker-buildx(downloaded from our DockerfileRUN wgetlayer) does embedotel/sdk@v1.38.0, which is still below the v1.40.0 fix threshold, but the scanner did not surface this as a separate line-item finding — the two otel entries above are from the scan runner's own environment, not our image. The buildx-binary vector is the reason this PR is marked Partial rather than Resolved.