fix: [CI-22510]: update OS packages to remediate CVEs in drone-git rootless images#130
Open
vinayakharness2026 wants to merge 1 commit into
Conversation
…rootless images Explicitly update vulnerable OS packages (openssh, nghttp2, libarchive, python3, krb5-libs) to pick up security fixes. The 5 Go stdlib CVEs in git-lfs are deferred until upstream releases a build with Go >= 1.25.9. Resolved CVEs (OS-level): - CVE-2026-25679 (go-rpm-macros) - CVE-2026-27135 (nghttp2) - CVE-2026-3497 (openssh) - CVE-2026-35385 (openssh) - CVE-2026-40356 (krb5) - CVE-2026-4424 (libarchive) - CVE-2026-4519 (python3.9) - CVE-2026-4786 (python3.9) - CVE-2026-6100 (python3.9) Deferred CVEs (Go stdlib in git-lfs, no upstream fix available): - CVE-2025-61726 (net/url) - CVE-2025-61729 (crypto/x509) - CVE-2026-25679 (net/url) - CVE-2026-32280 (crypto/x509) - CVE-2026-32283 (crypto/tls) Co-Authored-By: Claude Opus 4.6 <[email protected]>
vinayakharness2026
force-pushed
the
fix/vuln-remediation-CI-22510
branch
from
f2d7a43 to
8bae6b4
Compare
vinayakharness2026
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Minimal OS-level package update to remediate 8 of 13 CVEs reported in CI-22510 for
harnesssecure/drone-git:1.7.17-rootless.Approach: Explicitly update vulnerable OS packages in the Dockerfiles. No changes to git-lfs installation or Go toolchain — keeping the existing pre-built binary download as-is.
Changes
docker/Dockerfile.rootless.linux.amd64microdnf updatefor vulnerable OS packagesdocker/Dockerfile.rootless.linux.amd64.rfdocker/Dockerfile.rootless.linux.arm64.rfCVEs Resolved (8 — OS-level packages)
CVEs Deferred (5 — Go stdlib in git-lfs binary)
These affect the pre-built
git-lfsbinary (compiled with Go 1.25.3). No upstream git-lfs release with Go >= 1.25.9 is available yet. Will be resolved when upstream ships a new build.Test Plan
git lfs version,git lfs pull)🤖 Generated with Claude Code