Skip to content

fix(docker): upgrade alpine packages to address HIGH severity CVEs#10830

Merged
robert-hebel-sb merged 1 commit intomasterfrom
fix/docker-alpine-cve-2026-28390-cve-2026-40200
Apr 15, 2026
Merged

fix(docker): upgrade alpine packages to address HIGH severity CVEs#10830
robert-hebel-sb merged 1 commit intomasterfrom
fix/docker-alpine-cve-2026-28390-cve-2026-40200

Conversation

@robert-hebel-sb
Copy link
Copy Markdown
Contributor

@robert-hebel-sb robert-hebel-sb commented Apr 15, 2026

Summary

  • Pin libcrypto3>=3.5.6-r0 and libssl3>=3.5.6-r0 to fix CVE-2026-28390 (OpenSSL NULL pointer dereference DoS, HIGH)
  • Pin musl>=1.2.5-r23 and musl-utils>=1.2.5-r23 to fix CVE-2026-40200 (musl libc arbitrary code execution/DoS, HIGH)
  • Reformatted the apk add command into multi-line for readability (consistent with the existing version-constraint pattern)

Motivation and Context

Trivy vulnerability scanner in CI flagged 4 HIGH severity vulnerabilities in the docker.swagger.io/swaggerapi/swagger-ui:unstable image:
https://github.com/swagger-api/swagger-ui/actions/runs/24437770187/job/71395735898

All four vulnerabilities have available fixes in Alpine 3.23 and are addressed by explicitly requiring the minimum fixed package versions during the Docker build.

How Has This Been Tested?

  • Verified fixed versions are available in Alpine 3.23 package repositories
  • Trivy scan on the rebuilt image should show 0 HIGH/CRITICAL vulnerabilities for these packages

Screenshots

N/A — Dockerfile-only change

Checklist

  • Bug fix (no code change — Docker base image package upgrade)
  • No breaking changes
  • No documentation update required

🤖 Generated with Claude Code

@robert-hebel-sb @claude
fix(docker): upgrade alpine packages to address HIGH severity CVEs
9ced379 
Explicitly pin minimum versions for libcrypto3, libssl3, musl, and
musl-utils to resolve Trivy-detected vulnerabilities in the Docker image:

- CVE-2026-28390 (HIGH): OpenSSL NULL pointer dereference DoS
  libcrypto3/libssl3 3.5.5-r0 → >=3.5.6-r0
- CVE-2026-40200 (HIGH): musl libc arbitrary code execution/DoS
  musl/musl-utils 1.2.5-r21 → >=1.2.5-r23

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@robert-hebel-sb robert-hebel-sb merged commit 095ee75 into master Apr 15, 2026
9 checks passed
swagger-bot pushed a commit that referenced this pull request Apr 15, 2026
@semantic-release-bot
chore(release): cut the 5.32.4 release
34d6186 
## [5.32.4](v5.32.3...v5.32.4) (2026-04-15)

### Bug Fixes

* **authorization:** increase backdrop z-index ([#10831](#10831)) ([fd08fe8](fd08fe8))
* **docker:** upgrade alpine packages to address HIGH severity CVEs ([#10830](#10830)) ([095ee75](095ee75))
@swagger-bot
Copy link
Copy Markdown
Contributor

swagger-bot commented Apr 15, 2026

🎉 This PR is included in version 5.32.4 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@glowcloud glowcloud glowcloud approved these changes

@cka121 cka121 Awaiting requested review from cka121

@lukaszzazulak lukaszzazulak Awaiting requested review from lukaszzazulak

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@robert-hebel-sb @swagger-bot @glowcloud