fix: upgrade to Debian 13 (Trixie) to resolve security vulnerabilities [#1628]#1629
Merged
josecelano merged 1 commit intotorrust:developfrom Dec 23, 2025
Conversation
… vulnerabilities - Update base images from Debian 12 (bookworm) to Debian 13 (trixie) - Update builder: rust:bookworm -> rust:trixie - Update tester: rust:slim-bookworm -> rust:slim-trixie - Update GCC: gcc:bookworm -> gcc:trixie - Update runtime: gcr.io/distroless/cc-debian12:debug -> gcr.io/distroless/cc-debian13:debug This resolves all 5 security vulnerabilities (1 CRITICAL, 4 HIGH): - CVE-2019-1010022 (CRITICAL): glibc stack guard protection bypass - CVE-2018-20796 (HIGH): glibc uncontrolled recursion - CVE-2019-1010023 (HIGH): glibc ldd malicious ELF code execution - CVE-2019-9192 (HIGH): glibc uncontrolled recursion - CVE-2023-0286 (HIGH): OpenSSL X.400 address type confusion Trivy scan results: - Before: Total 5 (CRITICAL: 1, HIGH: 4) - After: Total 0 (CRITICAL: 0, HIGH: 0) Container tested and verified working with health checks passing.
josecelano
had a problem deploying
to
coverage
GitHub Actions
Failure
Member
Author
|
ACK 767bb5c |
josecelano
added
Security
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## develop #1629 +/- ##
========================================
Coverage 86.47% 86.48%
========================================
Files 289 289
Lines 22701 22701
Branches 22701 22701
========================================
+ Hits 19631 19633 +2
+ Misses 2839 2836 -3
- Partials 231 232 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
da2ce7
pushed a commit
to da2ce7/torrust-tracker
that referenced
this pull request
Feb 4, 2026
- tokio: 1.45.1 → 1.48.0 - reqwest: 0.12.20 → 0.12.24 - clap: 4.5.40 → 4.5.53 - tracing-subscriber: 0.3.19 → 0.3.22 - ringbuf: 0.4.4 → 0.4.8 - uuid: 1.18.1 → 1.19.0 - and other transitive dependencies Related dependabot PRs: - torrust#1629 (tokio) - torrust#1630 (reqwest) - torrust#1623 (clap) - torrust#1614 (tracing-subscriber) - torrust#1604 (ringbuf)
da2ce7
pushed a commit
to da2ce7/torrust-tracker
that referenced
this pull request
Feb 4, 2026
6cb7cdd chore(deps): update Cargo dependencies (Jose Celano) 46b2450 chore(deps): bump actions/github-script from 7 to 8 (Jose Celano) 6757705 chore(deps): bump actions/upload-artifact from 4 to 5 (Jose Celano) 00db823 chore(deps): bump actions/checkout from 4 to 6 (Jose Celano) Pull request description: ## Summary This PR consolidates several dependency updates from dependabot PRs. ### GitHub Actions Updates - **actions/checkout**: v4 → v6 (PR torrust#1622) - **actions/upload-artifact**: v4 → v5 (PR torrust#1621) - **actions/github-script**: v7 → v8 (PR torrust#1615) ### Cargo Dependencies Updates - **tokio**: 1.45.1 → 1.48.0 (PR torrust#1629) - **reqwest**: 0.12.20 → 0.12.24 (PR torrust#1630) - **clap**: 4.5.40 → 4.5.53 (PR torrust#1623) - **tracing-subscriber**: 0.3.19 → 0.3.22 (PR torrust#1614) - **ringbuf**: 0.4.4 → 0.4.8 (PR torrust#1604) - **uuid**: 1.18.1 → 1.19.0 - Other transitive dependencies ### Not Included - **zerocopy**: 0.7 → 0.8 (PR torrust#1496) - Blocked by upstream dependency `aquatic_udp_protocol` which still uses zerocopy 0.7. See: greatest-ape/aquatic#224 ## Testing All tests pass with the updated dependencies. ## Related PRs Closes torrust#1622, closes torrust#1621, closes torrust#1615, closes torrust#1629, closes torrust#1630, closes torrust#1623, closes torrust#1614, closes torrust#1604 ACKs for top commit: josecelano: ACK 6cb7cdd Tree-SHA512: d8504f1076ff669571bebeb1d54f3aa3d0dd3cc0323cd14902e0f44ed5bd82ced019b192ab3b375ad661951dea69255ee7ddf5e3e807282ad73fb2d7c3f0b7d8
josecelano
added a commit
to torrust/torrust-tracker-deployer
that referenced
this pull request
Feb 5, 2026
…eleases 871ff43 fix: [#317] Update deployer runtime base image from bookworm-slim to trixie-slim (Jose Celano) 262aeb8 docs: [#317] add comprehensive security scan reports for all docker images (Jose Celano) 947ae8a docs: [#317] mark deployer docker base image update as completed (Jose Celano) 2d2dfb4 build: [#317] update deployer docker base image from rust:bookworm to rust:trixie (Jose Celano) Pull request description: ## Overview This PR implements issue #317: Update all Docker base images to the latest stable releases for improved security and consistency with the Torrust Tracker ecosystem. ## Changes Made ### 1. Deployer Container Update - **Change**: Updated `docker/deployer/Dockerfile` from `rust:bookworm` (Debian 12) to `rust:trixie` (Debian 13) - **Verification**: - ✅ Docker image builds successfully - ✅ All 416 unit and integration tests pass - ✅ Trivy security scan: 1 HIGH (test artifact only), 0 CRITICAL - ✅ All linters pass ### 2. Security Improvements - **Deployer**: Reduced from 25 HIGH + 7 CRITICAL (bookworm) to **1 HIGH + 0 CRITICAL (trixie)** - **97% vulnerability reduction** - **Backup**: Verified using current `debian:trixie-slim` - stable with documented 7 HIGH vulnerabilities - **SSH Server**: Verified using current `alpine:3.23.3` - minimal Alpine base with 1 HIGH (test artifact) - **Provisioned Instance**: Verified using current `ubuntu:24.04 LTS` - expected 11 HIGH for reference LTS OS ### 3. Documentation Created comprehensive security scan reports with build and scan commands: - **[Deployer Scan](docs/security/docker/scans/torrust-tracker-deployer.md)** - Updated with trixie results - **[Backup Scan](docs/security/docker/scans/torrust-tracker-backup.md)** - Updated with detailed vulnerability analysis - **[SSH Server Scan](docs/security/docker/scans/torrust-ssh-server.md)** - New, Alpine 3.23.3 minimal base - **[Provisioned Instance Scan](docs/security/docker/scans/torrust-tracker-provisioned-instance.md)** - New, Ubuntu 24.04 LTS reference - **[Scans README](docs/security/docker/scans/README.md)** - Updated with latest status and build/scan commands ### 4. Issue Specification Updated [Issue #317 Specification](docs/issues/317-update-docker-base-images.md): - Added build and scan commands for all images - Linked to detailed scan reports - Marked implementation as completed with acceptance criteria met ## Alignment with Ecosystem This update aligns with [Torrust Tracker PR #1629](torrust/torrust-tracker#1629), ensuring consistency across the Torrust ecosystem by using Debian 13 (trixie) as the stable base OS. ## Testing & Verification - [x] Deployer Docker image builds successfully with trixie base - [x] All 416 unit and integration tests pass - [x] Trivy security scan completed for all images - [x] All linters pass (markdown, YAML, TOML, cspell, Clippy, rustfmt, shellcheck) - [x] Build from workspace root with correct context - [x] Pre-commit verification script passes ## Build & Scan Commands All Docker images can be built and scanned using the documented commands: ```bash # Build all images docker build --target release --tag torrust/tracker-deployer:local --file docker/deployer/Dockerfile . docker build --tag torrust/tracker-backup:local docker/backup/ docker build --tag torrust/tracker-ssh-server:local docker/ssh-server/ docker build --tag torrust/tracker-provisioned-instance:local docker/provisioned-instance/ # Run security scans trivy image --severity HIGH,CRITICAL torrust/tracker-deployer:local trivy image --severity HIGH,CRITICAL torrust/tracker-backup:local trivy image --severity HIGH,CRITICAL torrust/tracker-ssh-server:local trivy image --severity HIGH,CRITICAL torrust/tracker-provisioned-instance:local ``` ## Commits 1. `build: [#317] update deployer docker base image from rust:bookworm to rust:trixie` - Core Dockerfile change 2. `docs: [#317] mark deployer docker base image update as completed` - Updated issue specification 3. `docs: [#317] add comprehensive security scan reports for all docker images` - Complete scan documentation ## Related Issues - Closes #317 - Related to [Torrust Tracker PR #1629](torrust/torrust-tracker#1629) ACKs for top commit: josecelano: ACK 871ff43 Tree-SHA512: 09a54f9026065c43e7f2d95c7834f9d1856fc02f2ca46a54b81566d41a2d218832739a463ce03bbc33cb9310628bfc2c26918beb0898bbf505eb218ec64a534a
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR upgrades all Docker base images from Debian 12 (bookworm) to Debian 13 (trixie) to resolve security vulnerabilities detected by Trivy.
Changes
rust:bookworm→rust:trixierust:slim-bookworm→rust:slim-trixiegcc:bookworm→gcc:trixiegcr.io/distroless/cc-debian12:debug→gcr.io/distroless/cc-debian13:debugSecurity Impact
Before
Trivy scan detected 5 vulnerabilities (1 CRITICAL, 4 HIGH):
After
Trivy scan results: Total: 0 (CRITICAL: 0, HIGH: 0) ✅
All security vulnerabilities have been resolved.
Testing
Related Issues
Closes #1628
Checklist