Skip to content

UID2-7109: upgrade gnutls in Azure CC and GCP OIDC Dockerfiles#2548

Merged
BehnamMozafari merged 2 commits into
mainfrom
bmz-UID2-7109-fix-gnutls-vulnerabilities
May 18, 2026
Merged

UID2-7109: upgrade gnutls in Azure CC and GCP OIDC Dockerfiles#2548
BehnamMozafari merged 2 commits into
mainfrom
bmz-UID2-7109-fix-gnutls-vulnerabilities

Conversation

@BehnamMozafari
Copy link
Copy Markdown
Contributor

@BehnamMozafari BehnamMozafari commented May 18, 2026
edited
Loading

Summary

Bumps the pinned eclipse-temurin base image digest from ad0cdd97 (2026-04-15) to 704db3c4 (2026-05-08), which ships gnutls 3.8.13-r0 — fixing all 5 gnutls CVEs directly in the base image.

Also removes the manual apk add --no-cache --upgrade gnutls line from Dockerfile (no longer needed), and simplifies the apk step to just apk add --no-cache gcompat.

CVE Severity Title
CVE-2026-33845 CRITICAL GnuTLS: Denial of Service via DTLS zero-length
CVE-2026-42010 CRITICAL gnutls: Authentication Bypass via NUL Character in cert
CVE-2026-33846 HIGH GnuTLS: Denial of Service via heap buffer overflow
CVE-2026-3833 HIGH GnuTLS: Policy bypass due to case-sensitive
CVE-2026-42011 HIGH gnutls: Security bypass due to incorrect name

Verified via Alpine 3.23 security DB (secdb.alpinelinux.org): gnutls 3.8.13-r0 fixes all CVEs listed above. New image published 2026-05-08, after the 2026-04-29 fix release.

Follows the workflow from UID2-6951: bump digest instead of layering manual apk upgrade lines.

Companion PRs for repos sharing the same base image:

Jira: https://thetradedesk.atlassian.net/browse/UID2-7109

Test plan

  • CI Trivy scan passes with no CRITICAL/HIGH findings for gnutls
  • Azure CC and GCP OIDC build jobs complete successfully

🤖 Generated with Claude Code

BehnamMozafari and others added 2 commits May 18, 2026 11:16
@BehnamMozafari @claude
UID2-7109: upgrade gnutls in Azure CC and GCP OIDC Dockerfiles
e578fee 
Adds `apk add --no-cache --upgrade gnutls` to scripts/azure-cc/Dockerfile
and scripts/gcp-oidc/Dockerfile, consistent with the existing pattern in
the main Dockerfile. Fixes CVE-2026-33845, CVE-2026-42010 (CRITICAL) and
CVE-2026-33846, CVE-2026-3833, CVE-2026-42011 (HIGH) in gnutls 3.8.12-r0
by upgrading to 3.8.13-r0.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@BehnamMozafari @claude
UID2-7109: bump eclipse-temurin to sha256:704db3c4 (ships gnutls 3.8.…
3b7a7b6 
…13-r0)

Bumps the pinned base image digest from ad0cdd97 (2026-04-15) to 704db3c4
(2026-05-08), which ships gnutls 3.8.13-r0 — fixing CVE-2026-33845,
CVE-2026-42010 (CRITICAL) and CVE-2026-33846, CVE-2026-3833, CVE-2026-42011
(HIGH) directly in the base image.

Also removes the manual `--upgrade gnutls` apk line added in the previous
commit (no longer needed) and simplifies Dockerfile's apk step to just
`apk add --no-cache gcompat`.

Follows the workflow from UID2-6951: bump digest instead of layering manual
apk upgrades.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@BehnamMozafari BehnamMozafari merged commit 05b7113 into main May 18, 2026
9 checks passed
@BehnamMozafari BehnamMozafari deleted the bmz-UID2-7109-fix-gnutls-vulnerabilities branch May 18, 2026 03:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@swibi-ttd swibi-ttd swibi-ttd approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BehnamMozafari @swibi-ttd