diff --git a/CHANGELOG.md b/CHANGELOG.md index c1df382b6..a40daffb6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Fixed +- Pinned `curl`/`libcurl` to `^8.20.0-r0` in the runner image to address CVE-2026-6429. [#1448](https://github.com/sourcebot-dev/sourcebot/pull/1448) + ## [5.1.1] - 2026-07-14 - Add book a call button to sidebar. [#1441](https://github.com/sourcebot-dev/sourcebot/pull/1441) diff --git a/Dockerfile b/Dockerfile index 4a1b016c7..ea5814f8e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -166,7 +166,10 @@ ENV SOURCEBOT_LOG_LEVEL=info # ENV SOURCEBOT_TELEMETRY_DISABLED=1 # Configure dependencies -RUN apk add --no-cache git ca-certificates bind-tools tini jansson wget supervisor uuidgen curl perl jq openssl util-linux unzip && \ +# curl/libcurl pinned to >=8.20.0-r0 to address CVE-2026-6429 (credential leak +# via reused proxy connection during HTTP redirects). The pin also busts the +# build-cache layer so `apk upgrade` re-runs and pulls the patched packages. +RUN apk add --no-cache git ca-certificates bind-tools tini jansson wget supervisor uuidgen "curl>=8.20.0-r0" perl jq openssl util-linux unzip && \ apk upgrade --no-cache # Remove npm (unused — we use Yarn). The Node.js base image bundles npm