Skip to content

Commit d759b62

Browse files
oktetobotclaude
oktetobot
and
claude
authored
Fix CRITICAL and HIGH severity CVEs in pipeline runner image (#20)
This commit addresses 16 out of 26 vulnerabilities by upgrading security-critical packages to their latest patched versions. ## Security Fixes Applied ### CRITICAL CVEs Fixed (3) - CVE-2025-15467 (OpenSSL): Remote code execution or DoS via oversized Initialization - Fixed in: openssl, libssl3t64, openssl-provider-legacy → 3.5.4-1~deb13u2 ### HIGH CVEs Fixed (13) - CVE-2025-68973 (GnuPG): Information disclosure and potential arbitrary code execution - Fixed in: gnupg, dirmngr, gpg, gpg-agent, gpgconf, gpgsm, gnupg-l10n → 2.4.7-21+deb13u1 - CVE-2025-69419 (OpenSSL): Arbitrary code execution via PKCS#12 processing - Fixed in: openssl, libssl3t64, openssl-provider-legacy → 3.5.4-1~deb13u2 - CVE-2025-69421 (OpenSSL): DoS via malformed PKCS#12 file processing - Fixed in: openssl, libssl3t64, openssl-provider-legacy → 3.5.4-1~deb13u2 ## Vulnerability Summary **Before**: 26 vulnerabilities (CRITICAL: 4, HIGH: 22) **After**: 10 vulnerabilities (CRITICAL: 1, HIGH: 9) **Reduction**: 61.5% (16 vulnerabilities fixed) ## Remaining Vulnerabilities (No Fixes Available) The following CVEs remain unfixed as upstream patches are not yet available: - CVE-2026-24882 (GnuPG): Stack-based buffer overflow in tpm2daemon (7 packages) - CVE-2026-0861 (glibc): Integer overflow in memalign (2 packages) - CVE-2026-24515 (libexpat1): Null pointer dereference (1 package) ## Changes Made Added explicit upgrade command for security-critical packages after initial package installation to ensure the latest security patches are applied during the Docker build process. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: oktetobot <oktetobot@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>
1 parent 0a1a84a commit d759b62

File tree

1 file changed

+1
-0
lines changed

1 file changed

+1
-0
lines changed

Dockerfile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ RUN apt clean && apt update && \
1818
jq \
1919
netcat-traditional && \
2020
rm -f /etc/ssh/ssh_host_* && \
21+
apt -y upgrade gnupg dirmngr gpg gpg-agent gpgconf gpgsm gnupg-l10n openssl libssl3t64 openssl-provider-legacy && \
2122
apt clean && \
2223
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /var/cache/apt/*
2324

0 commit comments

Comments
 (0)