From df82b1413c468ba4cffea4af8702a77d431ffcc0 Mon Sep 17 00:00:00 2001 From: CarlosFelipeOR Date: Tue, 23 Jun 2026 02:02:02 -0300 Subject: [PATCH 1/3] Fix Grype Scan: pin boto3==1.43.33 to avoid botocore runtime ImportError (#1931) Signed-off-by: CarlosFelipeOR --- .github/workflows/grype_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/grype_scan.yml b/.github/workflows/grype_scan.yml index b6781c386f94..eef998199a8e 100644 --- a/.github/workflows/grype_scan.yml +++ b/.github/workflows/grype_scan.yml @@ -50,7 +50,7 @@ jobs: sudo apt-get install -y python3-pip python3-venv python3 -m venv venv source venv/bin/activate - pip install --upgrade requests chardet urllib3 unidiff boto3 PyGithub + pip install --upgrade requests chardet urllib3 unidiff 'boto3==1.43.33' PyGithub pip install testflows==$TESTFLOWS_VERSION awscli==1.33.28 echo PATH=$PATH >>$GITHUB_ENV From cc694807b524bbd443b10115934ee5d57123785e Mon Sep 17 00:00:00 2001 From: CarlosFelipeOR Date: Wed, 24 Jun 2026 12:38:34 -0300 Subject: [PATCH 2/3] Update selected Ubuntu packages to fix CVEs Signed-off-by: CarlosFelipeOR --- docker/server/Dockerfile.ubuntu | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docker/server/Dockerfile.ubuntu b/docker/server/Dockerfile.ubuntu index bb6218b1a4a3..37298cdffe4f 100644 --- a/docker/server/Dockerfile.ubuntu +++ b/docker/server/Dockerfile.ubuntu @@ -8,6 +8,7 @@ ARG DEBIAN_FRONTEND=noninteractive ARG apt_archive="http://archive.ubuntu.com" # We shouldn't use `apt upgrade` to not change the upstream image. It's updated biweekly +# Exception: targeted --only-upgrade for selected packages to address CVEs without a general upgrade. # user/group precreated explicitly with fixed uid/gid on purpose. # It is especially important for rootless containers: in that case entrypoint @@ -24,6 +25,17 @@ RUN sed -i "s|http://archive.ubuntu.com|${apt_archive}|g" /etc/apt/sources.list locales \ tzdata \ wget \ + && apt-get install --yes --no-install-recommends --only-upgrade \ + libgnutls30 \ + libssl3 \ + openssl \ + libsystemd0 \ + libudev1 \ + libgcrypt20 \ + sed \ + liblzma5 \ + && busybox --install -s \ + && apt-get clean \ && rm -rf /var/lib/apt/lists/* /var/cache/debconf /tmp/* #docker-official-library:off From 9c6c1503cf752a4bb1590f2fcf54666b7f0bd42c Mon Sep 17 00:00:00 2001 From: CarlosFelipeOR Date: Wed, 1 Jul 2026 14:34:25 -0300 Subject: [PATCH 3/3] Upgrade Ubuntu packages to apply security fixes Signed-off-by: CarlosFelipeOR --- docker/server/Dockerfile.ubuntu | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/docker/server/Dockerfile.ubuntu b/docker/server/Dockerfile.ubuntu index 37298cdffe4f..882af8c11bdb 100644 --- a/docker/server/Dockerfile.ubuntu +++ b/docker/server/Dockerfile.ubuntu @@ -7,13 +7,13 @@ ARG DEBIAN_FRONTEND=noninteractive # ARG for quick switch to a given ubuntu mirror ARG apt_archive="http://archive.ubuntu.com" -# We shouldn't use `apt upgrade` to not change the upstream image. It's updated biweekly -# Exception: targeted --only-upgrade for selected packages to address CVEs without a general upgrade. +# Upgrade already installed Ubuntu packages to apply available security fixes +# without installing recommended packages. # user/group precreated explicitly with fixed uid/gid on purpose. # It is especially important for rootless containers: in that case entrypoint # can't do chown and owners of mounted volumes should be configured externally. -# We do that in advance at the begining of Dockerfile before any packages will be +# We do that in advance at the beginning of Dockerfile before any packages will be # installed to prevent picking those uid / gid by some unrelated software. # The same uid / gid (101) is used both for alpine and ubuntu. RUN sed -i "s|http://archive.ubuntu.com|${apt_archive}|g" /etc/apt/sources.list \ @@ -25,15 +25,7 @@ RUN sed -i "s|http://archive.ubuntu.com|${apt_archive}|g" /etc/apt/sources.list locales \ tzdata \ wget \ - && apt-get install --yes --no-install-recommends --only-upgrade \ - libgnutls30 \ - libssl3 \ - openssl \ - libsystemd0 \ - libudev1 \ - libgcrypt20 \ - sed \ - liblzma5 \ + && apt-get upgrade --yes --no-install-recommends \ && busybox --install -s \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* /var/cache/debconf /tmp/*