From e578feea84e0a651ca9fdd3a937fe80c84af0644 Mon Sep 17 00:00:00 2001 From: Behnam Mozafari Date: Mon, 18 May 2026 11:16:18 +1000 Subject: [PATCH 1/2] UID2-7109: upgrade gnutls in Azure CC and GCP OIDC Dockerfiles Adds `apk add --no-cache --upgrade gnutls` to scripts/azure-cc/Dockerfile and scripts/gcp-oidc/Dockerfile, consistent with the existing pattern in the main Dockerfile. Fixes CVE-2026-33845, CVE-2026-42010 (CRITICAL) and CVE-2026-33846, CVE-2026-3833, CVE-2026-42011 (HIGH) in gnutls 3.8.12-r0 by upgrading to 3.8.13-r0. Co-Authored-By: Claude Sonnet 4.6 --- scripts/azure-cc/Dockerfile | 2 +- scripts/gcp-oidc/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/azure-cc/Dockerfile b/scripts/azure-cc/Dockerfile index 9284d9cec..d8fbc0a2f 100644 --- a/scripts/azure-cc/Dockerfile +++ b/scripts/azure-cc/Dockerfile @@ -2,7 +2,7 @@ FROM eclipse-temurin@sha256:ad0cdd9782db550ca7dde6939a16fd850d04e683d37d3cff79d84a5848ba6a5a # Install necessary packages and set up virtual environment -RUN apk update && apk add --no-cache jq python3 py3-pip && \ +RUN apk update && apk add --no-cache --upgrade gnutls && apk add --no-cache jq python3 py3-pip && \ python3 -m venv /venv && \ . /venv/bin/activate && \ pip install --no-cache-dir requests azure-identity azure-keyvault-secrets && \ diff --git a/scripts/gcp-oidc/Dockerfile b/scripts/gcp-oidc/Dockerfile index 80b4c955a..5697101af 100644 --- a/scripts/gcp-oidc/Dockerfile +++ b/scripts/gcp-oidc/Dockerfile @@ -5,7 +5,7 @@ LABEL "tee.launch_policy.allow_env_override"="API_TOKEN_SECRET_NAME,DEPLOYMENT_E LABEL "tee.launch_policy.log_redirect"="always" # Install Packages -RUN apk update && apk add --no-cache jq python3 py3-pip && \ +RUN apk update && apk add --no-cache --upgrade gnutls && apk add --no-cache jq python3 py3-pip && \ python3 -m venv /venv && \ . /venv/bin/activate && \ pip install --no-cache-dir google-cloud-secret-manager google-auth google-api-core packaging && \ From 3b7a7b62b34e973429d127c6bc08c02fd4ee080d Mon Sep 17 00:00:00 2001 From: Behnam Mozafari Date: Mon, 18 May 2026 11:33:56 +1000 Subject: [PATCH 2/2] UID2-7109: bump eclipse-temurin to sha256:704db3c4 (ships gnutls 3.8.13-r0) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps the pinned base image digest from ad0cdd97 (2026-04-15) to 704db3c4 (2026-05-08), which ships gnutls 3.8.13-r0 — fixing CVE-2026-33845, CVE-2026-42010 (CRITICAL) and CVE-2026-33846, CVE-2026-3833, CVE-2026-42011 (HIGH) directly in the base image. Also removes the manual `--upgrade gnutls` apk line added in the previous commit (no longer needed) and simplifies Dockerfile's apk step to just `apk add --no-cache gcompat`. Follows the workflow from UID2-6951: bump digest instead of layering manual apk upgrades. Co-Authored-By: Claude Sonnet 4.6 --- Dockerfile | 6 +++--- scripts/azure-cc/Dockerfile | 6 +++--- scripts/gcp-oidc/Dockerfile | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index faf515204..7493fc991 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,8 @@ -# sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-ad0cdd9782db550ca7dde6939a16fd850d04e683d37d3cff79d84a5848ba6a5a -FROM eclipse-temurin@sha256:ad0cdd9782db550ca7dde6939a16fd850d04e683d37d3cff79d84a5848ba6a5a +# sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-704db3c40204a44f471191446ddd9cda5d60dab40f0e15c6507b815ed897238b +FROM eclipse-temurin@sha256:704db3c40204a44f471191446ddd9cda5d60dab40f0e15c6507b815ed897238b # For Amazon Corretto Crypto Provider -RUN apk add --no-cache gcompat && apk add --no-cache --upgrade gnutls +RUN apk add --no-cache gcompat WORKDIR /app EXPOSE 8080 diff --git a/scripts/azure-cc/Dockerfile b/scripts/azure-cc/Dockerfile index d8fbc0a2f..be463844f 100644 --- a/scripts/azure-cc/Dockerfile +++ b/scripts/azure-cc/Dockerfile @@ -1,8 +1,8 @@ -# sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-ad0cdd9782db550ca7dde6939a16fd850d04e683d37d3cff79d84a5848ba6a5a -FROM eclipse-temurin@sha256:ad0cdd9782db550ca7dde6939a16fd850d04e683d37d3cff79d84a5848ba6a5a +# sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-704db3c40204a44f471191446ddd9cda5d60dab40f0e15c6507b815ed897238b +FROM eclipse-temurin@sha256:704db3c40204a44f471191446ddd9cda5d60dab40f0e15c6507b815ed897238b # Install necessary packages and set up virtual environment -RUN apk update && apk add --no-cache --upgrade gnutls && apk add --no-cache jq python3 py3-pip && \ +RUN apk update && apk add --no-cache jq python3 py3-pip && \ python3 -m venv /venv && \ . /venv/bin/activate && \ pip install --no-cache-dir requests azure-identity azure-keyvault-secrets && \ diff --git a/scripts/gcp-oidc/Dockerfile b/scripts/gcp-oidc/Dockerfile index 5697101af..56b9cef2c 100644 --- a/scripts/gcp-oidc/Dockerfile +++ b/scripts/gcp-oidc/Dockerfile @@ -1,11 +1,11 @@ -# sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-ad0cdd9782db550ca7dde6939a16fd850d04e683d37d3cff79d84a5848ba6a5a -FROM eclipse-temurin@sha256:ad0cdd9782db550ca7dde6939a16fd850d04e683d37d3cff79d84a5848ba6a5a +# sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-704db3c40204a44f471191446ddd9cda5d60dab40f0e15c6507b815ed897238b +FROM eclipse-temurin@sha256:704db3c40204a44f471191446ddd9cda5d60dab40f0e15c6507b815ed897238b LABEL "tee.launch_policy.allow_env_override"="API_TOKEN_SECRET_NAME,DEPLOYMENT_ENVIRONMENT,CORE_BASE_URL,OPTOUT_BASE_URL,DEBUG_MODE,SKIP_VALIDATIONS" LABEL "tee.launch_policy.log_redirect"="always" # Install Packages -RUN apk update && apk add --no-cache --upgrade gnutls && apk add --no-cache jq python3 py3-pip && \ +RUN apk update && apk add --no-cache jq python3 py3-pip && \ python3 -m venv /venv && \ . /venv/bin/activate && \ pip install --no-cache-dir google-cloud-secret-manager google-auth google-api-core packaging && \