Skip to content

chore: pin curl/libcurl to ^8.20.0-r0 to address CVE-2026-7168#1444

Draft
linear-code[bot] wants to merge 2 commits into
mainfrom
linear/sou-1509-sourcebot-devsourcebot-cve-2026-7168-curl-libcurl-69e9
Draft

chore: pin curl/libcurl to ^8.20.0-r0 to address CVE-2026-7168#1444
linear-code[bot] wants to merge 2 commits into
mainfrom
linear/sou-1509-sourcebot-devsourcebot-cve-2026-7168-curl-libcurl-69e9

Conversation

@linear-code

@linear-code linear-code Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Fixes SOU-1509

Addresses CVE-2026-7168 (libcurl information disclosure via incorrect Proxy-Authorization header reuse), flagged by Trivy against the Docker image's curl/libcurl (installed 8.19.0-r0, fixed in 8.20.0-r0).

Alpine 3.23 now ships the patched curl 8.20.0-r0. The runtime stage already runs apk upgrade --no-cache, but the scan reflects a build from before the patched version was published. This pins curl and libcurl to >=8.20.0-r0 in the runtime apk add so the build fails loudly if the patched version isn't available and the intent is explicit. libcurl is pinned explicitly since it's pulled in transitively by curl, git, and wget.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants