Skip to content

fix: pin curl/libcurl to ^8.20.0-r0 to address CVE-2026-5545#1445

Draft
linear-code[bot] wants to merge 2 commits into
mainfrom
linear/sou-1503-sourcebot-devsourcebot-cve-2026-5545-curl-libcurl-d353
Draft

fix: pin curl/libcurl to ^8.20.0-r0 to address CVE-2026-5545#1445
linear-code[bot] wants to merge 2 commits into
mainfrom
linear/sou-1503-sourcebot-devsourcebot-cve-2026-5545-curl-libcurl-d353

Conversation

@linear-code

@linear-code linear-code Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Fixes SOU-1503

Trivy flags curl/libcurl 8.19.0-r0 in the Docker image for CVE-2026-5545 (HTTP Negotiate connection reuse authentication bypass), fixed in 8.20.0-r0. Both are available in the Alpine 3.23 repo.

The runner stage already runs apk upgrade --no-cache, but this pins explicit minimum versions (curl>=8.20.0-r0, libcurl>=8.20.0-r0) on the apk add line so the patched versions are guaranteed and the fix is deterministic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants