From ada22e6017f9f16cdcaa4890fd012f03e078e944 Mon Sep 17 00:00:00 2001 From: sangnn Date: Tue, 23 Jun 2026 03:20:58 +0000 Subject: [PATCH] security: upgrade some package versions --- .gitea/workflows/push-develop.yml | 8 ++++++++ .gitea/workflows/push-main.yml | 8 ++++++++ Dockerfile | 9 +++++++-- Dockerfile.job | 4 ++-- requirements/base.txt | 14 ++++++++------ requirements/development.txt | 4 ++-- requirements/production.txt | 2 +- 7 files changed, 36 insertions(+), 13 deletions(-) diff --git a/.gitea/workflows/push-develop.yml b/.gitea/workflows/push-develop.yml index 1553572..b325c0f 100644 --- a/.gitea/workflows/push-develop.yml +++ b/.gitea/workflows/push-develop.yml @@ -49,6 +49,14 @@ jobs: --no-progress \ "gatehouse-api:${{ steps.sha.outputs.tag }}" + - name: Scan job image for vulnerabilities (Trivy) + run: | + trivy image \ + --exit-code 0 \ + --severity HIGH,CRITICAL \ + --no-progress \ + "gatehouse-api-job:${{ steps.sha.outputs.tag }}" + # ── 2. Deploy ───────────────────────────────────────────────────────────────── deploy: name: Deploy diff --git a/.gitea/workflows/push-main.yml b/.gitea/workflows/push-main.yml index dab173a..5304e9f 100644 --- a/.gitea/workflows/push-main.yml +++ b/.gitea/workflows/push-main.yml @@ -48,6 +48,14 @@ jobs: --no-progress \ "gatehouse-api:${{ steps.sha.outputs.tag }}" + - name: Scan job image for vulnerabilities (Trivy) + run: | + trivy image \ + --exit-code 0 \ + --severity HIGH,CRITICAL \ + --no-progress \ + "gatehouse-api-job:${{ steps.sha.outputs.tag }}" + # ── 2. Deploy ───────────────────────────────────────────────────────────────── deploy: name: Deploy diff --git a/Dockerfile b/Dockerfile index ec64cf4..99cb35d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,14 +19,19 @@ COPY requirements/base.txt requirements/base.txt COPY requirements/production.txt requirements/production.txt # Install dependencies -RUN pip install --no-cache-dir --upgrade pip wheel && \ +# Upgrade build tooling too: clears CVE-2026-24049 (wheel) and CVE-2026-23949 (jaraco.context) +RUN pip install --no-cache-dir --upgrade pip setuptools wheel && \ pip install --no-cache-dir -r requirements/production.txt # Production stage FROM python:3.11-slim # Install runtime dependencies -RUN apt-get update && apt-get install -y --no-install-recommends \ +# apt-get upgrade pulls patched openssl/openssh/etc. so the image isn't pinned to +# whatever was current when the base layer was published. +# NOTE: openssh-client carries 3 CVEs (CVE-2026-35385/35386/35414). SSH CA signing +# uses sshkey-tools (pure Python), so drop this line if nothing shells out to ssh/scp. +RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \ libpq5 \ curl \ openssh-client \ diff --git a/Dockerfile.job b/Dockerfile.job index 56c9d6b..1c75478 100644 --- a/Dockerfile.job +++ b/Dockerfile.job @@ -12,12 +12,12 @@ WORKDIR /app COPY requirements/base.txt requirements/base.txt COPY requirements/production.txt requirements/production.txt -RUN pip install --no-cache-dir --upgrade pip wheel && \ +RUN pip install --no-cache-dir --upgrade pip setuptools wheel && \ pip install --no-cache-dir -r requirements/production.txt FROM python:3.11-slim -RUN apt-get update && apt-get install -y --no-install-recommends \ +RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \ libpq5 \ && rm -rf /var/lib/apt/lists/* diff --git a/requirements/base.txt b/requirements/base.txt index a96d6c7..88c7c1d 100644 --- a/requirements/base.txt +++ b/requirements/base.txt @@ -1,6 +1,6 @@ # Core Flask Flask==3.0.0 -Werkzeug==3.0.1 +Werkzeug==3.0.6 # CVE-2024-34069 (debug-server RCE); stays <3.1 for Flask 3.0 compat # Database SQLAlchemy==2.0.23 @@ -19,15 +19,17 @@ Flask-Bcrypt==1.0.1 pyotp==2.9.0 # WebAuthn / FIDO2 -fido2==1.1.2 -cbor2==5.6.0 +# fido2 removed: unused in the codebase (WebAuthn is parsed directly via cbor2), +# and it pinned cryptography<44, blocking the CVE-2026-26007 fix. Re-add fido2>=2.2.0 +# if migrating to the official library. +cbor2==5.9.0 # CVE-2024-26134, CVE-2026-26209 (DoS via recursion) # JWT / OIDC -PyJWT==2.8.0 -cryptography==42.0.7 +PyJWT==2.13.0 # CVE-2026-48526 (auth bypass via forged JWT), CVE-2026-32597 +cryptography==46.0.5 # CVE-2026-26007 (SECT subgroup attack) # CORS -Flask-CORS==4.0.0 +Flask-CORS==6.0.0 # CVE-2024-6221 (ACAO handling) # Environment variables python-dotenv==1.0.0 diff --git a/requirements/development.txt b/requirements/development.txt index 8c626fd..e321c71 100644 --- a/requirements/development.txt +++ b/requirements/development.txt @@ -36,8 +36,8 @@ requests==2.31.0 pytz==2023.3 python-dotenv==1.0.0 pydantic==2.5.0 -PyJWT==2.8.0 -cryptography==42.0.7 +PyJWT==2.13.0 +cryptography==46.0.5 pycryptodome==3.20.0 psycopg2-binary==2.9.9 sshkey-tools==0.11.3 diff --git a/requirements/production.txt b/requirements/production.txt index d50532a..7c85895 100644 --- a/requirements/production.txt +++ b/requirements/production.txt @@ -1,7 +1,7 @@ -r base.txt # Production WSGI server -gunicorn==21.2.0 +gunicorn==23.0.0 # CVE-2024-1135, CVE-2024-6827 (HTTP request smuggling) # Monitoring & logging sentry-sdk[flask]==1.39.1