Skip to content

chore: pin curl/libcurl to ^8.20.0-r0 to address CVE-2026-4873#1446

Draft
linear-code[bot] wants to merge 2 commits into
mainfrom
linear/sou-1502-sourcebot-devsourcebot-cve-2026-4873-curl-curl-85b5
Draft

chore: pin curl/libcurl to ^8.20.0-r0 to address CVE-2026-4873#1446
linear-code[bot] wants to merge 2 commits into
mainfrom
linear/sou-1502-sourcebot-devsourcebot-cve-2026-4873-curl-curl-85b5

Conversation

@linear-code

@linear-code linear-code Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Fixes SOU-1502

Addresses CVE-2026-4873 (curl/libcurl information disclosure via incorrect TLS connection reuse), fixed upstream in 8.20.0-r0.

The runner stage already runs apk upgrade --no-cache, and Alpine 3.23 ships the patched curl 8.20.0-r0. This pins curl/libcurl to >=8.20.0-r0 in the runner apk add so the patched version is required explicitly and the container scan no longer flags the vulnerable release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants