Skip to content

fix: upgrade curl/libcurl to 8.20.0-r0 to address CVE-2026-7009#1450

Draft
linear-code[bot] wants to merge 2 commits into
mainfrom
linear/sou-1508-sourcebot-devsourcebot-cve-2026-7009-curl-curl-13e5
Draft

fix: upgrade curl/libcurl to 8.20.0-r0 to address CVE-2026-7009#1450
linear-code[bot] wants to merge 2 commits into
mainfrom
linear/sou-1508-sourcebot-devsourcebot-cve-2026-7009-curl-curl-13e5

Conversation

@linear-code

@linear-code linear-code Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Fixes SOU-1508

Trivy flagged curl/libcurl 8.19.0-r0 in the Docker image for CVE-2026-7009 (OCSP stapling certificate validation bypass, fixed in 8.20.0-r0).

Alpine 3.23 main now ships the patched 8.20.0-r0. The runner stage already ran apk upgrade --no-cache (which covers all base packages), so a rebuild resolves the finding, the shipped image simply predated the patched package. This change makes the curl/libcurl upgrade explicit so the intent is documented and the layer cache is busted, guaranteeing the patched packages are pulled on rebuild.

linear-code Bot added 2 commits July 14, 2026 13:40
Certificate Status Request TLS extension (OCSP stapling) certificate
validation bypass. Alpine 3.23 ships the patched curl/libcurl 8.20.0-r0;
the runner stage's apk upgrade now upgrades them explicitly.

Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1508/sourcebot-devsourcebot-cve-2026-7009-curl-curl-certificate-validation#agent-session-cad35e10)

Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants