Skip to content

fix: pin curl/libcurl to ^8.20.0-r0 to address CVE-2026-5773#1447

Draft
linear-code[bot] wants to merge 2 commits into
mainfrom
linear/sou-1504-sourcebot-devsourcebot-cve-2026-5773-curl-libcurl-wrong-95bf
Draft

fix: pin curl/libcurl to ^8.20.0-r0 to address CVE-2026-5773#1447
linear-code[bot] wants to merge 2 commits into
mainfrom
linear/sou-1504-sourcebot-devsourcebot-cve-2026-5773-curl-libcurl-wrong-95bf

Conversation

@linear-code

@linear-code linear-code Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Fixes SOU-1504

Addresses CVE-2026-5773 (HIGH): incorrect SMB connection reuse in libcurl. Alpine 3.23 ships the patched curl/libcurl 8.20.0-r0, but the runner stage's apk add ... && apk upgrade layer is cached, so rebuilds kept the vulnerable 8.19.0-r0.

Pinning curl>=8.20.0-r0 (and libcurl>=8.20.0-r0) on the apk add line busts that layer cache so apk upgrade re-runs, guarantees the minimum patched version, and documents intent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants