Skip to content

fix: update docker version and alpine#137

Merged
alinashklyar merged 4 commits into
masterfrom
CR-40559-security
Jul 1, 2026
Merged

fix: update docker version and alpine#137
alinashklyar merged 4 commits into
masterfrom
CR-40559-security

Conversation

@alinashklyar

@alinashklyar alinashklyar commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

What

Why

Notes

Labels

Assign the following labels to the PR:

security - to trigger image scanning in CI build

PR Comments

Add the following comments to the PR:

/e2e - to trigger E2E build

Security Report — codefresh/dind

Fixed CVEs: 38

🟣 Critical: 7

  • CVE-2026-46595 in golang.org/x/crypto/ssh@v0.50.0 at /usr/local/libexec/docker/cli-plugins/docker-buildx
  • CVE-2026-39834 in golang.org/x/crypto/ssh@v0.48.0 at /usr/local/libexec/docker/cli-plugins/docker-compose
  • CVE-2026-39834 in golang.org/x/crypto/ssh@v0.50.0 at /usr/local/libexec/docker/cli-plugins/docker-buildx
  • CVE-2026-39833 in golang.org/x/crypto/ssh/agent@v0.50.0 at /usr/local/libexec/docker/cli-plugins/docker-buildx
  • CVE-2026-39832 in golang.org/x/crypto/ssh/agent@v0.50.0 at /usr/local/libexec/docker/cli-plugins/docker-buildx
  • CVE-2026-39831 in golang.org/x/crypto/ssh@v0.50.0 at /usr/local/libexec/docker/cli-plugins/docker-buildx
  • CVE-2026-39830 in golang.org/x/crypto/ssh@v0.50.0 at /usr/local/libexec/docker/cli-plugins/docker-buildx

🔴 High: 8

  • CVE-2026-48702 in github.com/sigstore/rekor@v1.5.0 at /usr/local/bin/dockerd
  • CVE-2026-46597 in golang.org/x/crypto/ssh@v0.48.0 at /usr/local/libexec/docker/cli-plugins/docker-compose
  • CVE-2026-46597 in golang.org/x/crypto/ssh@v0.50.0 at /usr/local/libexec/docker/cli-plugins/docker-buildx
  • CVE-2026-39836 in net@1.26.2 at /bin/node_exporter
  • CVE-2026-39829 in golang.org/x/crypto/ssh@v0.50.0 at /usr/local/libexec/docker/cli-plugins/docker-buildx
  • CVE-2026-33814 in golang.org/x/net/http2@v0.47.0 at /usr/local/bin/containerd
  • CVE-2026-33814 in net/http@1.26.2 at /bin/node_exporter
  • CVE-2026-46680 in github.com/containerd/containerd/v2@v2.2.3 at /usr/local/libexec/docker/cli-plugins/docker-buildx

🟠 Medium: 9

  • CVE-2026-39827 in golang.org/x/crypto/ssh@v0.50.0 at /usr/local/libexec/docker/cli-plugins/docker-buildx
  • CVE-2026-39828 in golang.org/x/crypto/ssh@v0.50.0 at /usr/local/libexec/docker/cli-plugins/docker-buildx
  • CVE-2026-39826 in html/template@1.26.2 at /bin/node_exporter
  • CVE-2026-39823 in html/template@1.26.2 at /bin/node_exporter
  • CVE-2026-49835 in github.com/sigstore/timestamp-authority/v2@v2.0.6 at /usr/local/bin/dockerd
  • CVE-2026-46598 in golang.org/x/crypto/ssh/agent@v0.50.0 at /usr/local/libexec/docker/cli-plugins/docker-buildx
  • CVE-2026-39835 in golang.org/x/crypto/ssh@v0.50.0 at /usr/local/libexec/docker/cli-plugins/docker-buildx
  • GO-2026-5547 in github.com/in-toto/in-toto-golang@v0.10.0 at /usr/local/libexec/docker/cli-plugins/docker-compose
  • CVE-2026-41579 in github.com/opencontainers/runc@v1.3.5 at /usr/local/bin/runc

⚫ Unassigned: 14

  • CVE-2026-27145 in crypto/x509@1.26.2 at /bin/node_exporter
  • CVE-2026-27145 in crypto/x509@1.26.3 at /usr/local/libexec/docker/cli-plugins/docker-buildx
  • CVE-2026-25680 in golang.org/x/net/html@v0.53.0 at /usr/local/libexec/docker/cli-plugins/docker-buildx
  • CVE-2026-25680 in golang.org/x/net/html@v0.47.0 at /usr/local/bin/containerd
  • CVE-2026-42506 in golang.org/x/net/html@v0.47.0 at /usr/local/bin/containerd
  • CVE-2026-42506 in golang.org/x/net/html@v0.53.0 at /usr/local/libexec/docker/cli-plugins/docker-buildx
  • CVE-2026-42502 in golang.org/x/net/html@v0.47.0 at /usr/local/bin/containerd
  • CVE-2026-42502 in golang.org/x/net/html@v0.53.0 at /usr/local/libexec/docker/cli-plugins/docker-buildx
  • CVE-2026-27136 in golang.org/x/net/html@v0.47.0 at /usr/local/bin/containerd
  • CVE-2026-27136 in golang.org/x/net/html@v0.53.0 at /usr/local/libexec/docker/cli-plugins/docker-buildx
  • CVE-2026-25681 in golang.org/x/net/html@v0.53.0 at /usr/local/libexec/docker/cli-plugins/docker-buildx
  • CVE-2026-25681 in golang.org/x/net/html@v0.47.0 at /usr/local/bin/containerd
  • CVE-2026-42507 in net/textproto@1.26.3 at /usr/local/libexec/docker/cli-plugins/docker-buildx
  • CVE-2026-42507 in net/textproto@1.26.2 at /bin/node_exporter

Fixed issues: 7

Comment thread Dockerfile Outdated
@@ -1,8 +1,8 @@
# CI relies on this ARG. Don't remove or rename it
ARG DOCKER_VERSION=29.5.3
ARG DOCKER_VERSION=29.6.0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's upgrade to fresh 29.6.1, it brings additional security fixes.

Suggested change
ARG DOCKER_VERSION=29.6.0
ARG DOCKER_VERSION=29.6.1

@alinashklyar

Copy link
Copy Markdown
Contributor Author

/e2e

@alinashklyar alinashklyar merged commit 937c2e3 into master Jul 1, 2026
4 checks passed
@alinashklyar alinashklyar deleted the CR-40559-security branch July 1, 2026 10:35
alinashklyar added a commit that referenced this pull request Jul 1, 2026
* update docker version and alpine

* update DHI'

* bump

(cherry picked from commit 937c2e3)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants