Skip to content

Commit ca8a0d3

Browse files
brendan-kellamclaude
brendan-kellam
and
claude
authored
fix: upgrade Alpine packages to resolve CVEs in musl-utils and zlib (#1114)
Adds `apk upgrade --no-cache` to the runner stage to pull in patched versions of musl-utils (>=1.2.5-r23) and zlib (>=1.3.2-r0), fixing: - CVE-2026-40200 (HIGH) - musl arbitrary code execution - CVE-2026-6042 (MEDIUM) - musl denial of service - CVE-2026-22184 (HIGH) - zlib buffer overflow - CVE-2026-27171 (MEDIUM) - zlib denial of service Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent a91e421 commit ca8a0d3

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

Dockerfile

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -180,7 +180,8 @@ ENV SOURCEBOT_LOG_LEVEL=info
180180
# ENV SOURCEBOT_TELEMETRY_DISABLED=1
181181

182182
# Configure dependencies
183-
RUN apk add --no-cache git ca-certificates bind-tools tini jansson wget supervisor uuidgen curl perl jq redis postgresql16 postgresql16-contrib openssl util-linux unzip
183+
RUN apk add --no-cache git ca-certificates bind-tools tini jansson wget supervisor uuidgen curl perl jq redis postgresql16 postgresql16-contrib openssl util-linux unzip && \
184+
apk upgrade --no-cache
184185

185186
ARG UID=1500
186187
ARG GID=1500

0 commit comments

Comments
 (0)