security: upgrade some package versions

2026-06-23 04:25:25 +00:00
parent 99c488d4d5
commit 685df6a4cb
3 changed files with 43 additions and 5 deletions
@@ -18,3 +18,30 @@ CVE-2026-26007
 # Vulnerable OpenSSL statically bundled in the cryptography manylinux wheel.
 # Blocked by the same sshkey-tools <44 cap. Tracked for removal at next review.
 GHSA-537c-gmf6-5ccf
 # ---------------------------------------------------------------------------
 # Unfixable base-image OS packages (Debian slim). All are status "affected" or
 # "fix_deferred" with NO fixed version available upstream — apt cannot patch
 # them. They are deep base packages we cannot remove without breaking the image
 # (perl/dpkg tooling, ncurses for terminal libs, sqlite via Python stdlib).
 # None are reachable from the app's input paths (no Archive::Tar on untrusted
 # input, no curl, sqlite3 stdlib unused with untrusted DB files).
 #
 # Reviewed: 2026-06-23  |  Next review: 2026-09-23
 # Strategic fix: migrate to a distroless / Chainguard Python base, which drops
 # perl, ncurses tooling and sqlite entirely. Revisit then.
 # ---------------------------------------------------------------------------
 # perl-base (Archive::Tar / IO-Compress) — no fix available
 CVE-2026-42496
 CVE-2026-42497
 CVE-2026-48962
 CVE-2026-9538
 CVE-2026-8376
 # ncurses (libtinfo6 / libncursesw6 / ncurses-base / ncurses-bin) — no fix
 CVE-2025-69720
 # libsqlite3-0 — no fix
 CVE-2026-11822
 CVE-2026-11824
@@ -29,14 +29,21 @@ FROM python:3.11-slim
 # Install runtime dependencies
 # apt-get upgrade pulls patched openssl/openssh/etc. so the image isn't pinned to
 # whatever was current when the base layer was published.
-# NOTE: openssh-client carries 3 CVEs (CVE-2026-35385/35386/35414). SSH CA signing
+# curl intentionally omitted: it was only used by HEALTHCHECK (now a stdlib Python
-# uses sshkey-tools (pure Python), so drop this line if nothing shells out to ssh/scp.
+# check), and dropping it removes libcurl4t64 + libssh2 and their unfixed CVEs.
 # NOTE: openssh-client retained for SSH CA workflows; drop it too if nothing shells
 # out to ssh/scp (sshkey-tools signing is pure Python).
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
    libpq5 \
    curl \
    openssh-client \
    && rm -rf /var/lib/apt/lists/*
 # Patch the base image's system-level build tooling that Trivy flags in
 # /usr/local site-packages: wheel (CVE-2026-24049) and the jaraco.context
 # (CVE-2026-23949) vendored by setuptools. Runs against system pip before the
 # venv takes over PATH below.
 RUN pip install --no-cache-dir --upgrade pip setuptools wheel
 # Create non-root user
 RUN groupadd --gid 1000 appgroup && \
    useradd --uid 1000 --gid appgroup --shell /bin/bash --create-home appuser
@@ -58,9 +65,9 @@ USER appuser
 # Expose port
 EXPOSE 5000
-# Health check
+# Health check (stdlib urllib — avoids shipping curl)
 HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
-    CMD curl -f http://localhost:5000/api/health || exit 1
+    CMD ["python", "-c", "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://localhost:5000/api/health', timeout=5).getcode()==200 else 1)"]
 # Run gunicorn with gevent workers
 CMD ["gunicorn", "--bind", "0.0.0.0:5000", \
@@ -21,6 +21,10 @@ RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-reco
    libpq5 \
    && rm -rf /var/lib/apt/lists/*
 # Patch system-level wheel (CVE-2026-24049) + setuptools-vendored jaraco.context
 # (CVE-2026-23949) that Trivy flags in /usr/local site-packages.
 RUN pip install --no-cache-dir --upgrade pip setuptools wheel
 RUN groupadd --gid 1000 appgroup && \
    useradd --uid 1000 --gid appgroup --shell /bin/bash --create-home appuser