fix: upgrade base image packages to fix critical CVEs#26
Conversation
Add apt-get upgrade in runtime stage to patch: - CVE-2025-58050 (libpcre2 heap buffer overflow) - CVE-2026-31789 (openssl heap buffer overflow)
📝 WalkthroughWalkthroughThe change adds a single ChangesRuntime Image Dependency Upgrade
Estimated code review effort: 1 (Trivial) | ~2 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (2)
Dockerfile.release (2)
191-191: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value
--no-install-recommendsis a no-op onapt-get upgrade.This flag only affects packages being newly installed Do not consider recommended packages as a dependency for installing.
upgradedoes not install new packages by default, so the flag has no effect here; it's harmless but misleading.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@Dockerfile.release` at line 191, The apt-get upgrade step is using --no-install-recommends in a place where it has no effect, so remove that flag from the Dockerfile.release package upgrade command. Update the release image build step that runs apt-get upgrade to keep only the relevant upgrade arguments, since the flag is only meaningful for install operations.
191-191: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick winConsider
dist-upgradeto avoid held-back packages.Plain
apt-get upgradewill not install or remove packages, so any patched package (e.g. a newlibpcre2/openssl) that requires a dependency change or removal to upgrade is silently held back rather than upgraded — which could leave a CVE unpatched without any build failure signal.apt-get -y dist-upgrade(orfull-upgrade) handles those dependency changes and is the safer choice for a security-patch step.♻️ Proposed fix
- apt-get -y upgrade --no-install-recommends && \ + apt-get -y dist-upgrade --no-install-recommends && \🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@Dockerfile.release` at line 191, The security patch step in the Dockerfile.release upgrade flow uses apt-get upgrade, which can leave dependency-changing updates held back; update the upgrade step in the apt-get chain to use apt-get -y dist-upgrade (or full-upgrade) instead, keeping the rest of the install sequence intact. Use the existing Dockerfile.release upgrade stanza around the apt-get command to make the change.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@Dockerfile.release`:
- Line 191: The apt-get upgrade step is using --no-install-recommends in a place
where it has no effect, so remove that flag from the Dockerfile.release package
upgrade command. Update the release image build step that runs apt-get upgrade
to keep only the relevant upgrade arguments, since the flag is only meaningful
for install operations.
- Line 191: The security patch step in the Dockerfile.release upgrade flow uses
apt-get upgrade, which can leave dependency-changing updates held back; update
the upgrade step in the apt-get chain to use apt-get -y dist-upgrade (or
full-upgrade) instead, keeping the rest of the install sequence intact. Use the
existing Dockerfile.release upgrade stanza around the apt-get command to make
the change.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 611fce32-2a05-4f10-bc7f-e5361e402307
📒 Files selected for processing (1)
Dockerfile.release
Summary
apt-get upgradein Dockerfile.release runtime stage to patch critical CVEsperl-baseCVEs have no Debian fix available (not used by OLR at runtime)Test plan
perl-baseonly)Summary by CodeRabbit