security: upgrade some package versions
This commit is contained in:
sangnn
@@ -18,3 +18,30 @@ CVE-2026-26007
|
||||
# Vulnerable OpenSSL statically bundled in the cryptography manylinux wheel.
|
||||
# Blocked by the same sshkey-tools <44 cap. Tracked for removal at next review.
|
||||
GHSA-537c-gmf6-5ccf
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Unfixable base-image OS packages (Debian slim). All are status "affected" or
|
||||
# "fix_deferred" with NO fixed version available upstream — apt cannot patch
|
||||
# them. They are deep base packages we cannot remove without breaking the image
|
||||
# (perl/dpkg tooling, ncurses for terminal libs, sqlite via Python stdlib).
|
||||
# None are reachable from the app's input paths (no Archive::Tar on untrusted
|
||||
# input, no curl, sqlite3 stdlib unused with untrusted DB files).
|
||||
#
|
||||
# Reviewed: 2026-06-23 | Next review: 2026-09-23
|
||||
# Strategic fix: migrate to a distroless / Chainguard Python base, which drops
|
||||
# perl, ncurses tooling and sqlite entirely. Revisit then.
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
# perl-base (Archive::Tar / IO-Compress) — no fix available
|
||||
CVE-2026-42496
|
||||
CVE-2026-42497
|
||||
CVE-2026-48962
|
||||
CVE-2026-9538
|
||||
CVE-2026-8376
|
||||
|
||||
# ncurses (libtinfo6 / libncursesw6 / ncurses-base / ncurses-bin) — no fix
|
||||
CVE-2025-69720
|
||||
|
||||
# libsqlite3-0 — no fix
|
||||
CVE-2026-11822
|
||||
CVE-2026-11824
|
||||
|
||||
Reference in New Issue
Block a user