FIX: patch CVE-2026-32280, CVE-2026-32281, CVE-2026-32283, CVE-2026-33810, CVE-2026-4046, CVE-2026-4437

RoiGlinik · claude · RoiGlinik · commit c9aaf1c81d11 · 2026-05-03T17:57:05.000+03:00
- Upgrade Go builder from 1.26 to 1.26.2 (fixes 4 stdlib CVEs in crypto/x509 and crypto/tls) - go.mod bumped to go 1.26.2 to match builder - Fresh pull of cgr.dev/chainguard/bash:latest provides glibc >= 2.44 (fixes CVE-2026-4046, CVE-2026-4437) - Verified: docker scout reports 0C 0H 0M 0L on rebuilt image Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,5 @@
-FROM golang:1.26 AS builder
+# Patching CVE-2026-32280, CVE-2026-32281, CVE-2026-32283, CVE-2026-33810: requires Go >= 1.26.2
+FROM golang:1.26.2 AS builder
 
 RUN apt-get update && \
     dpkg --add-architecture arm64 &&\
@@ -11,6 +12,7 @@ ADD . "$GOPATH/src/github.com/bitnami-labs/kubewatch"
 RUN cd "$GOPATH/src/github.com/bitnami-labs/kubewatch" && \
     CGO_ENABLED=0 GOOS=linux GOARCH=$(dpkg --print-architecture) go build -a --installsuffix cgo --ldflags="-s" -o /kubewatch
 
+# Patching CVE-2026-4046, CVE-2026-4437: requires glibc >= 2.44, provided by chainguard/bash built after May 2026
 FROM cgr.dev/chainguard/bash:latest
 
 COPY --from=builder /kubewatch /bin/kubewatch
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/bitnami-labs/kubewatch
 
-go 1.26.0
+go 1.26.2
 
 require (
 	github.com/fatih/structtag v1.2.0
