Skip to content

fix: upgrade base image packages to fix critical CVEs#26

Merged
rophy merged 1 commit into
masterfrom
fix/cve-upgrade
Jul 3, 2026
Merged

fix: upgrade base image packages to fix critical CVEs#26
rophy merged 1 commit into
masterfrom
fix/cve-upgrade

Conversation

@rophy

@rophy rophy commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Summary

  • Add apt-get upgrade in Dockerfile.release runtime stage to patch critical CVEs
  • Fixes CVE-2025-58050 (libpcre2 heap buffer overflow) and CVE-2026-31789 (openssl heap buffer overflow)
  • Base image upgraded from Debian 13.0 → 13.5
  • 2 remaining perl-base CVEs have no Debian fix available (not used by OLR at runtime)

Test plan

  • Trivy scan: 5 critical → 2 (unfixable perl-base only)
  • Redo log regression: 161/161 passed

Summary by CodeRabbit

  • Chores
    • Updated the app’s runtime image setup to apply system package updates before installing required libraries.
    • This helps keep the final image current while preserving the same cleanup and library availability behavior.

Add apt-get upgrade in runtime stage to patch:
- CVE-2025-58050 (libpcre2 heap buffer overflow)
- CVE-2026-31789 (openssl heap buffer overflow)
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The change adds a single apt-get -y upgrade --no-install-recommends command in the runtime stage of Dockerfile.release, placed between the existing apt-get update and the installation of libaio1t64, without altering other build steps.

Changes

Runtime Image Dependency Upgrade

Layer / File(s) Summary
Add apt-get upgrade step
Dockerfile.release
Inserts an apt-get -y upgrade --no-install-recommends call before the existing libaio1t64 install in the runtime stage.

Estimated code review effort: 1 (Trivial) | ~2 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the main change: upgrading runtime image packages to address critical CVEs.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/cve-upgrade

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
Dockerfile.release (2)

191-191: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

--no-install-recommends is a no-op on apt-get upgrade.

This flag only affects packages being newly installed Do not consider recommended packages as a dependency for installing. upgrade does not install new packages by default, so the flag has no effect here; it's harmless but misleading.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.release` at line 191, The apt-get upgrade step is using
--no-install-recommends in a place where it has no effect, so remove that flag
from the Dockerfile.release package upgrade command. Update the release image
build step that runs apt-get upgrade to keep only the relevant upgrade
arguments, since the flag is only meaningful for install operations.

191-191: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Consider dist-upgrade to avoid held-back packages.

Plain apt-get upgrade will not install or remove packages, so any patched package (e.g. a new libpcre2/openssl) that requires a dependency change or removal to upgrade is silently held back rather than upgraded — which could leave a CVE unpatched without any build failure signal. apt-get -y dist-upgrade (or full-upgrade) handles those dependency changes and is the safer choice for a security-patch step.

♻️ Proposed fix
-    apt-get -y upgrade --no-install-recommends && \
+    apt-get -y dist-upgrade --no-install-recommends && \
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.release` at line 191, The security patch step in the
Dockerfile.release upgrade flow uses apt-get upgrade, which can leave
dependency-changing updates held back; update the upgrade step in the apt-get
chain to use apt-get -y dist-upgrade (or full-upgrade) instead, keeping the rest
of the install sequence intact. Use the existing Dockerfile.release upgrade
stanza around the apt-get command to make the change.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@Dockerfile.release`:
- Line 191: The apt-get upgrade step is using --no-install-recommends in a place
where it has no effect, so remove that flag from the Dockerfile.release package
upgrade command. Update the release image build step that runs apt-get upgrade
to keep only the relevant upgrade arguments, since the flag is only meaningful
for install operations.
- Line 191: The security patch step in the Dockerfile.release upgrade flow uses
apt-get upgrade, which can leave dependency-changing updates held back; update
the upgrade step in the apt-get chain to use apt-get -y dist-upgrade (or
full-upgrade) instead, keeping the rest of the install sequence intact. Use the
existing Dockerfile.release upgrade stanza around the apt-get command to make
the change.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 611fce32-2a05-4f10-bc7f-e5361e402307

📥 Commits

Reviewing files that changed from the base of the PR and between 26641b0 and c0c6a9d.

📒 Files selected for processing (1)
  • Dockerfile.release

@rophy rophy merged commit 1b09ac5 into master Jul 3, 2026
3 checks passed
@rophy rophy deleted the fix/cve-upgrade branch July 3, 2026 05:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant