coryHawkvelt/gatehouse-api
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

security: upgrade some package versions
Push -> develop / Build Docker images (push) Successful in 14s
Details
Push -> develop / Deploy (push) Successful in 19s
Details
Push -> develop / Notify on result (push) Successful in 0s
Details

Browse Source
This commit is contained in:
sangnn
2026-06-23 07:14:25 +00:00
parent 685df6a4cb
commit 19b2565a73
1 changed files with 0 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.trivyignore
-47
View File
@@ -1,47 +0,0 @@
# Accepted vulnerabilities — reviewed, justified, and tracked.
# Format: one CVE/GHSA ID per line. Re-evaluate each at the review date below.
#
# ---------------------------------------------------------------------------
# cryptography is pinned to 43.0.3 because sshkey-tools 0.11.3 (SSH CA cert
# signing) requires cryptography <44. The two findings below are only fixed in
# cryptography >=44/48, which we cannot adopt until sshkey-tools relaxes its pin.
#
# Reviewed: 2026-06-23 | Next review: 2026-09-23
# Action to remove: bump sshkey-tools to a release allowing cryptography>=48,
# then set cryptography>=48.0.1 and delete these lines.
# ---------------------------------------------------------------------------
# SECT (binary-field) curve subgroup attack. Not reachable: Gatehouse uses only
# RSA / NIST P-256 / Ed25519 (JWT, x509, SSH CA). No SECT curves anywhere.
CVE-2026-26007
# Vulnerable OpenSSL statically bundled in the cryptography manylinux wheel.
# Blocked by the same sshkey-tools <44 cap. Tracked for removal at next review.
GHSA-537c-gmf6-5ccf
# ---------------------------------------------------------------------------
# Unfixable base-image OS packages (Debian slim). All are status "affected" or
# "fix_deferred" with NO fixed version available upstream — apt cannot patch
# them. They are deep base packages we cannot remove without breaking the image
# (perl/dpkg tooling, ncurses for terminal libs, sqlite via Python stdlib).
# None are reachable from the app's input paths (no Archive::Tar on untrusted
# input, no curl, sqlite3 stdlib unused with untrusted DB files).
#
# Reviewed: 2026-06-23 | Next review: 2026-09-23
# Strategic fix: migrate to a distroless / Chainguard Python base, which drops
# perl, ncurses tooling and sqlite entirely. Revisit then.
# ---------------------------------------------------------------------------
# perl-base (Archive::Tar / IO-Compress) — no fix available
CVE-2026-42496
CVE-2026-42497
CVE-2026-48962
CVE-2026-9538
CVE-2026-8376
# ncurses (libtinfo6 / libncursesw6 / ncurses-base / ncurses-bin) — no fix
CVE-2025-69720
# libsqlite3-0 — no fix
CVE-2026-11822
CVE-2026-11824