From 37184bdf16bab75bd90371482e18b74a2ad728c2 Mon Sep 17 00:00:00 2001 From: Sunny Wu Date: Thu, 29 Jan 2026 12:15:49 +1100 Subject: [PATCH 1/2] Update eclipse-temurin base image to fix SSL CVE Updated alpine base image SHA to address vulnerabilities reported in vulnerability scan. --- Dockerfile | 4 ++-- scripts/azure-cc/Dockerfile | 4 ++-- scripts/gcp-oidc/Dockerfile | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index d4fed6e57..2c92f798b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ -# sha from https://hub.docker.com/layers/library/eclipse-temurin/21.0.9_10-jre-alpine-3.23/images/sha256-f599f6fa11f007b6dcf6e85ec2c372c1eba2b6940a7828eb6e665665ea5edd1c -FROM eclipse-temurin@sha256:243e711289b0f17e05a4df60454bbb1b8ed7b126db4de2d5535da994b7417111 +# sha from https://hub.docker.com/layers/library/eclipse-temurin/21.0.9_10-jre-alpine-3.23/images/sha256-79f8eb45e1219ce03b48d045b1ee920ea529acceb7ff2be6fad7b0b5cb6f07e0 +FROM eclipse-temurin@sha256:79f8eb45e1219ce03b48d045b1ee920ea529acceb7ff2be6fad7b0b5cb6f07e0 # For Amazon Corretto Crypto Provider RUN apk add --no-cache --upgrade libpng && apk add --no-cache gcompat diff --git a/scripts/azure-cc/Dockerfile b/scripts/azure-cc/Dockerfile index 7998038a7..3f1eff4c3 100644 --- a/scripts/azure-cc/Dockerfile +++ b/scripts/azure-cc/Dockerfile @@ -1,5 +1,5 @@ -# sha from https://hub.docker.com/layers/library/eclipse-temurin/21.0.9_10-jre-alpine-3.23/images/sha256-f599f6fa11f007b6dcf6e85ec2c372c1eba2b6940a7828eb6e665665ea5edd1c -FROM eclipse-temurin@sha256:243e711289b0f17e05a4df60454bbb1b8ed7b126db4de2d5535da994b7417111 +# sha from https://hub.docker.com/layers/library/eclipse-temurin/21.0.9_10-jre-alpine-3.23/images/sha256-79f8eb45e1219ce03b48d045b1ee920ea529acceb7ff2be6fad7b0b5cb6f07e0 +FROM eclipse-temurin@sha256:79f8eb45e1219ce03b48d045b1ee920ea529acceb7ff2be6fad7b0b5cb6f07e0 # Install necessary packages and set up virtual environment RUN apk update && apk add --no-cache jq python3 py3-pip && \ diff --git a/scripts/gcp-oidc/Dockerfile b/scripts/gcp-oidc/Dockerfile index 49722644a..619e7bcc4 100644 --- a/scripts/gcp-oidc/Dockerfile +++ b/scripts/gcp-oidc/Dockerfile @@ -1,5 +1,5 @@ -# sha from https://hub.docker.com/layers/library/eclipse-temurin/21.0.9_10-jre-alpine-3.23/images/sha256-f599f6fa11f007b6dcf6e85ec2c372c1eba2b6940a7828eb6e665665ea5edd1c -FROM eclipse-temurin@sha256:243e711289b0f17e05a4df60454bbb1b8ed7b126db4de2d5535da994b7417111 +# sha from https://hub.docker.com/layers/library/eclipse-temurin/21.0.9_10-jre-alpine-3.23/images/sha256-79f8eb45e1219ce03b48d045b1ee920ea529acceb7ff2be6fad7b0b5cb6f07e0 +FROM eclipse-temurin@sha256:79f8eb45e1219ce03b48d045b1ee920ea529acceb7ff2be6fad7b0b5cb6f07e0 LABEL "tee.launch_policy.allow_env_override"="API_TOKEN_SECRET_NAME,DEPLOYMENT_ENVIRONMENT,CORE_BASE_URL,OPTOUT_BASE_URL,DEBUG_MODE,SKIP_VALIDATIONS" LABEL "tee.launch_policy.log_redirect"="always" From ee8781c6d2d4af6bf90f7b4955ce2eb471e8835b Mon Sep 17 00:00:00 2001 From: Sunny Wu Date: Thu, 29 Jan 2026 12:27:56 +1100 Subject: [PATCH 2/2] upgrade libpng to fix CVE-2026-22695 and CVE-2026-22801 --- scripts/azure-cc/Dockerfile | 2 +- scripts/gcp-oidc/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/azure-cc/Dockerfile b/scripts/azure-cc/Dockerfile index 3f1eff4c3..4eb79c648 100644 --- a/scripts/azure-cc/Dockerfile +++ b/scripts/azure-cc/Dockerfile @@ -2,7 +2,7 @@ FROM eclipse-temurin@sha256:79f8eb45e1219ce03b48d045b1ee920ea529acceb7ff2be6fad7b0b5cb6f07e0 # Install necessary packages and set up virtual environment -RUN apk update && apk add --no-cache jq python3 py3-pip && \ +RUN apk update && apk add --no-cache --upgrade libpng && apk add --no-cache jq python3 py3-pip && \ python3 -m venv /venv && \ . /venv/bin/activate && \ pip install --no-cache-dir requests azure-identity azure-keyvault-secrets && \ diff --git a/scripts/gcp-oidc/Dockerfile b/scripts/gcp-oidc/Dockerfile index 619e7bcc4..22646304b 100644 --- a/scripts/gcp-oidc/Dockerfile +++ b/scripts/gcp-oidc/Dockerfile @@ -5,7 +5,7 @@ LABEL "tee.launch_policy.allow_env_override"="API_TOKEN_SECRET_NAME,DEPLOYMENT_E LABEL "tee.launch_policy.log_redirect"="always" # Install Packages -RUN apk update && apk add --no-cache jq python3 py3-pip && \ +RUN apk update && apk add --no-cache --upgrade libpng && apk add --no-cache jq python3 py3-pip && \ python3 -m venv /venv && \ . /venv/bin/activate && \ pip install --no-cache-dir google-cloud-secret-manager google-auth google-api-core packaging && \