Skip to content

Upgrade zlib due to https://security.alpinelinux.org/vuln/CVE-2026-27171#136

Open
amirvaza wants to merge 1 commit intovalkey-io:mainlinefrom
amirvaza:mainline
Open

Upgrade zlib due to https://security.alpinelinux.org/vuln/CVE-2026-27171#136
amirvaza wants to merge 1 commit intovalkey-io:mainlinefrom
amirvaza:mainline

Conversation

@amirvaza
Copy link
Copy Markdown

@amirvaza amirvaza commented Mar 17, 2026

No description provided.

@amirvaza amirvaza closed this Mar 17, 2026
@amirvaza amirvaza reopened this Mar 17, 2026
@amirvaza amirvaza closed this Mar 17, 2026
@amirvaza amirvaza reopened this Mar 17, 2026
@amirvaza
Upgrade zlib due to https://security.alpinelinux.org/vuln/CVE-2026-27171
79557c0 


Signed-off-by: Amir Vaza <25140441+amirvaza@users.noreply.github.com>
Nikhil-Manglore
Nikhil-Manglore approved these changes Mar 17, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Nikhil-Manglore Nikhil-Manglore left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@amirvaza
Copy link
Copy Markdown
Author

amirvaza commented Mar 18, 2026

Anything stops us from merging? :)

roshkhatri
roshkhatri reviewed Mar 18, 2026
View reviewed changes
Comment thread Dockerfile.template
setpriv \
openssl \
libgcc \
zlib=1.3.2-r0 \
Copy link
Copy Markdown
Member

@roshkhatri roshkhatri Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pinning this version would need to be updated once a new version is out.

Has alpine released a new patch for this CVE?
We can just rebuild all and it will patch all the images

Copy link
Copy Markdown
Member

@roshkhatri roshkhatri Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alpine 3.23 has zlib=1.3.2-r0 https://pkgs.alpinelinux.org/package/v3.23/main/x86_64/zlib
We would only need to rebuild the image

Copy link
Copy Markdown

@Eskuero Eskuero Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The alpine base image is two months old and contains the vuln https://hub.docker.com/layers/library/alpine/3.23.3/images/sha256-59855d3dceb3ae53991193bd03301e082b2a7faa56a514b03527ae0ec2ce3a95

Copy link
Copy Markdown
Member

@roshkhatri roshkhatri Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How can we change from pinning the versions to auto update? as maintaining this would be an added effort

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roshkhatri roshkhatri roshkhatri left review comments

@Nikhil-Manglore Nikhil-Manglore Nikhil-Manglore approved these changes

+1 more reviewer

@Eskuero Eskuero Eskuero left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@amirvaza @Eskuero @Nikhil-Manglore @roshkhatri