fix(security): upgrade Traefik from v3.6.7 to v3.6.17#4090
Closed
andershermansen wants to merge 17 commits into
Closed
fix(security): upgrade Traefik from v3.6.7 to v3.6.17#4090andershermansen wants to merge 17 commits into
andershermansen wants to merge 17 commits into
Conversation
Addresses 12 CVEs across 5 patch releases: v3.6.8: CVE-2026-25949, CVE-2025-68121 v3.6.9: CVE-2026-26998, CVE-2026-26999, CVE-2026-29054 v3.6.10: CVE-2026-29777, CVE-2026-27141 v3.6.11: CVE-2026-32595, CVE-2026-32305, CVE-2026-32695 v3.6.12: CVE-2026-33433, CVE-2026-33186
The empty-records branch of `main()` returned without calling `process.exit(0)`, leaving the Drizzle Postgres connection pool holding the event loop open. The `migrate-auth-secret` process then hangs indefinitely after printing "No 2FA records found, nothing to migrate." causing the upstream `0.29.3.sh` security migration script (which calls this via `docker exec`) to never reach its final `docker service update` step that mounts the new Docker Secret. Operators end up with the new secret created but the dokploy service still configured with the hardcoded `BETTER_AUTH_SECRET`, while believing the migration completed. Match the success branch a few lines below which already does `process.exit(0)`, and the pattern used in sibling scripts `reset-password.ts` and `reset-2fa.ts`. Closes Dokploy#4392
…ret-exit-on-empty fix(migrate-auth-secret): exit cleanly when there are no 2FA records
Adds an "Import" option to the Create Service dropdown that lets users paste a base64-encoded compose export, preview the template (compose YAML, domains, envs, mounts) before confirming, and create the service only on confirm. Adds a `previewTemplate` tRPC procedure that processes the base64 without touching the DB, with server access validation via session.
…-base64 feat(compose): add import from base64 in create service dropdown
- Updated the GitHub Actions workflow to sync versioning across MCP, CLI, and SDK repositories. - Added steps to bump the version in the SDK repository and regenerate tools from the latest OpenAPI spec. - Improved commit message formatting to include source and release information for all repositories. - Ensured successful synchronization messages for each repository after the version update.
- Introduced a new `readLogs` procedure that allows users to retrieve logs for a specific deployment by providing the deployment ID and an optional tail parameter. - Implemented permission checks to ensure users have access to the requested logs. - Enhanced log retrieval for both cloud and non-cloud environments, utilizing appropriate commands based on the server context. Resolve Dokploy/mcp#14
- Implemented server access validation in deployment procedures to ensure users can only access deployments associated with their active organization. - Added checks to throw an UNAUTHORIZED error if a user attempts to access a deployment linked to a server outside their organization. This enhancement improves security and access control within the deployment management system.
- Added validation to prevent users from being invited with the owner role in the organization and user routers. - Implemented TRPCError responses to ensure proper error handling when attempting to assign the owner role. This change enhances role management and security within the organization structure. https://github.com/Dokploy/dokploy/security/advisories/GHSA-fm9p-wmpw-gxjh
- Added functionality to delete old sessions when a user updates their password, ensuring that only the current session remains active. - This change enhances security by preventing unauthorized access from previous sessions after a password change. Close here https://github.com/Dokploy/dokploy/security/advisories/GHSA-rr9m-w87g-46f3
* fix: copy Dokploy server IP when clicking server badge When a service runs on the local Dokploy server (no remote server), clicking the server badge did nothing because `data.server` is null. Now falls back to the server IP from settings so the badge always copies an IP address. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat(copy-ip): implement IP address copying functionality across database service components - Added the ability to copy the server IP address to the clipboard when clicking the server badge in various database service components (Libsql, MariaDB, MongoDB, MySQL, PostgreSQL, Redis). - Integrated the `copy-to-clipboard` library and `sonner` for user feedback upon successful copy action. - Ensured fallback to the server IP from settings when the service data is not available, enhancing user experience and functionality. --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Mauricio Siu <siumauricio@icloud.com>
Signed-off-by: Nahidujjaman Hridoy <hridoyboss12@gmail.com>
…of register, and build for extra. (Dokploy#4382)
Addresses additional CVEs in Traefik v3.6.14, v3.6.15, and v3.6.17.
Author
|
Updated to traefik 3.6.17 which has even more CVEs fixed. |
Author
|
Superseeded by #4584 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is this PR about?
Addresses 19 CVEs in Traefik across 8 patch releases:
v3.6.8: CVE-2026-25949, CVE-2025-68121
v3.6.9: CVE-2026-26998, CVE-2026-26999, CVE-2026-29054
v3.6.10: CVE-2026-29777, CVE-2026-27141
v3.6.11: CVE-2026-32595, CVE-2026-32305, CVE-2026-32695
v3.6.12: CVE-2026-33433, CVE-2026-33186
v3.6.14: CVE-2026-40912 (GHSA-6jwx-7vp4-9847), CVE-2026-39858 (GHSA-5m6w-wvh7-57vm), CVE-2026-35051 (GHSA-6384-m2mw-rf54), CVE-2026-41263 (GHSA-6x2q-h3cr-8j2h), CVE-2026-41174 (GHSA-xhjw-95fp-8vgq)
v3.6.15: CVE-2026-41181 (GHSA-p6hg-qh38-555r)
v3.6.17: CVE-2026-44774 (GHSA-96qj-4jj5-wcjc)
Checklist
Before submitting this PR, please make sure that:
canarybranch.Greptile Summary
This PR updates the default Traefik Docker image version from
3.6.7to3.6.12inpackages/server/src/setup/traefik-setup.ts, addressing 12 CVEs across 5 patch releases (v3.6.8–v3.6.12). The change is a single-line bump to the fallback value of theTRAEFIK_VERSIONconstant; users who set theTRAEFIK_VERSIONenvironment variable are unaffected.TRAEFIK_VERSION(server-setup.ts,setup.ts) already reference the exported constant, so they will automatically pick up the new default.Confidence Score: 5/5
Safe to merge — a straightforward one-line security patch version bump with no logic changes.
The change is a single-line default version string update with no functional or behavioral changes. All existing consumers use the exported constant. No P1 or P0 issues found.
No files require special attention.
Important Files Changed
Reviews (1): Last reviewed commit: "fix(security): upgrade Traefik from v3.6..." | Re-trigger Greptile
(2/5) Greptile learns from your feedback when you react with thumbs up/down!