Skip to content

fix(deps): bump APT_CACHE_BUST to clear 8 OS-package CVEs#106

Merged
ashiramin merged 2 commits into
mainfrom
aa/fix-vulns-20260527
May 27, 2026
Merged

fix(deps): bump APT_CACHE_BUST to clear 8 OS-package CVEs#106
ashiramin merged 2 commits into
mainfrom
aa/fix-vulns-20260527

Conversation

@ashiramin
Copy link
Copy Markdown
Contributor

@ashiramin ashiramin commented May 27, 2026
edited
Loading

Automated triage of Trivy scan run #26509407170 (scheduled :main scan, 8 CRITICAL/HIGH fixable findings).

Commits

1. Bump APT_CACHE_BUST (2026-05-192026-05-27) — clears the 8 OS-package CVEs. All have fixes already in the Debian archive; per the convention in #104, bumping the ARG invalidates the cached apt layer so apt-get update && upgrade -y re-fetches them transitively (no pins).

CVE Severity Package(s) Installed Fixed
CVE-2026-40356 HIGH krb5-locales, libgssapi-krb5-2, libk5crypto3, libkrb5-3, libkrb5support0 1.21.3-5 1.21.3-5+deb13u1
CVE-2026-23171 HIGH linux-libc-dev 6.12.88-1 6.12.90-1
CVE-2026-43503 HIGH linux-libc-dev 6.12.88-1 6.12.90-1
CVE-2026-46300 HIGH linux-libc-dev 6.12.88-1 6.12.90-1

2. Bump SNYK_BROKER_VERSION (v1.0.14-axonv1.0.15-axon) — clears the qs finding the first commit's rebuild surfaced (the stale :main image was hiding it).

CVE Severity Package Fix
CVE-2026-8723 HIGH qs (6.15.0 → 6.15.2) snyk-broker#24, released as v1.0.15-axon

Verification

  • First trivy-pr run (#26528256403) confirmed all 8 OS CVEs cleared, leaving only qs.
  • The snyk-broker fix was verified locally (minimal node:20-slim image → qs resolves to 6.15.2, zero Trivy findings) before tagging.
  • This PR's trivy-pr scan now validates both commits together — expected fully green.

🤖 Generated with Claude Code

@ashiramin @claude
fix(deps): bump APT_CACHE_BUST to clear 8 OS-package CVEs
de6cba6 
Scheduled :main Trivy scan (run #26509407170) flagged 8 CRITICAL/HIGH
fixable OS-package CVEs whose fixes are already in the Debian archive:

- CVE-2026-40356: krb5 family (krb5-locales, libgssapi-krb5-2,
  libk5crypto3, libkrb5-3, libkrb5support0) 1.21.3-5 -> 1.21.3-5+deb13u1
- CVE-2026-23171: linux-libc-dev 6.12.88-1 -> 6.12.90-1
- CVE-2026-43503: linux-libc-dev 6.12.88-1 -> 6.12.90-1
- CVE-2026-46300: linux-libc-dev 6.12.88-1 -> 6.12.90-1

Bumping APT_CACHE_BUST (2026-05-19 -> 2026-05-27) invalidates the cached
apt layer so apt-get update && upgrade -y re-fetches the patched versions
transitively. No pins, per the convention established in #104.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@ashiramin ashiramin marked this pull request as ready for review May 27, 2026 17:42
@ashiramin @claude
fix(deps): bump snyk-broker to v1.0.15-axon for qs CVE-2026-8723
3d5f59c 
cortexapps/snyk-broker#24 floored the qs override at ^6.15.2 (resolves
6.15.2, was the vulnerable 6.15.0) and was released as v1.0.15-axon.
Bumping SNYK_BROKER_VERSION pulls the patched qs into the agent image,
clearing the CVE-2026-8723 finding that this PR's trivy-pr scan surfaced.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@ashiramin ashiramin requested a review from shawnburke May 27, 2026 20:18
@ashiramin ashiramin merged commit f965e1b into main May 27, 2026
17 checks passed
@ashiramin ashiramin deleted the aa/fix-vulns-20260527 branch May 27, 2026 20:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shawnburke shawnburke shawnburke approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ashiramin @shawnburke