From e05a280a6a94d1db22e0a17c15da53a36c71e5d9 Mon Sep 17 00:00:00 2001 From: Behnam Mozafari Date: Wed, 1 Apr 2026 18:47:29 +1100 Subject: [PATCH 1/2] UID2-6864: Upgrade libpng to fix CVE-2026-33416 and CVE-2026-33636 Add apk upgrade libpng to Dockerfile and Azure CC Dockerfile to upgrade from 1.6.54-r0 to 1.6.56-r0. GCP Dockerfile already had the upgrade in place. Co-Authored-By: Claude Opus 4.6 --- Dockerfile | 3 +++ scripts/azure-cc/Dockerfile | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 5fb795c79..9d704183f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,9 @@ # sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6 FROM eclipse-temurin@sha256:693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6 +# Upgrade libpng to fix CVE-2026-33416 and CVE-2026-33636 +RUN apk upgrade --no-cache libpng + # For Amazon Corretto Crypto Provider RUN apk add --no-cache gcompat diff --git a/scripts/azure-cc/Dockerfile b/scripts/azure-cc/Dockerfile index 7a2880aa3..742f63477 100644 --- a/scripts/azure-cc/Dockerfile +++ b/scripts/azure-cc/Dockerfile @@ -2,7 +2,7 @@ FROM eclipse-temurin@sha256:693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6 # Install necessary packages and set up virtual environment -RUN apk update && apk add --no-cache jq python3 py3-pip && \ +RUN apk update && apk add --no-cache --upgrade libpng && apk add --no-cache jq python3 py3-pip && \ python3 -m venv /venv && \ . /venv/bin/activate && \ pip install --no-cache-dir requests azure-identity azure-keyvault-secrets && \ From 41a7a75225f1e9224fad1f92d8aea2c20e62c2d1 Mon Sep 17 00:00:00 2001 From: Behnam Mozafari Date: Wed, 1 Apr 2026 19:05:54 +1100 Subject: [PATCH 2/2] UID2-6837: Silence CVE-2026-33416 and CVE-2026-33636 (libpng) in .trivyignore libpng is an OS-level Alpine package not used by our Java services. Silence with 1-month expiry (2026-05-01) pending base image update. Reverts Dockerfile apk upgrade approach in favor of .trivyignore. Co-Authored-By: Claude Opus 4.6 --- .trivyignore | 7 ++++++- Dockerfile | 3 --- scripts/azure-cc/Dockerfile | 2 +- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/.trivyignore b/.trivyignore index 524f0629b..a4acafd48 100644 --- a/.trivyignore +++ b/.trivyignore @@ -33,4 +33,9 @@ CVE-2026-32776 exp:2026-04-25 # Trivy reports CVE-2026-32776 with transposed digits (32767 instead of 32776) - this is a known Trivy bug # See: https://github.com/aquasecurity/trivy/discussions/10412 and UID2-6806 # This entry can be removed once Trivy fixes the typo -CVE-2026-32767 exp:2026-04-25 \ No newline at end of file +CVE-2026-32767 exp:2026-04-25 + +# libpng use-after-free and OOB read/write in Alpine base image - not used by our Java services +# See: UID2-6837 +CVE-2026-33416 exp:2026-05-01 +CVE-2026-33636 exp:2026-05-01 \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 9d704183f..5fb795c79 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,6 @@ # sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6 FROM eclipse-temurin@sha256:693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6 -# Upgrade libpng to fix CVE-2026-33416 and CVE-2026-33636 -RUN apk upgrade --no-cache libpng - # For Amazon Corretto Crypto Provider RUN apk add --no-cache gcompat diff --git a/scripts/azure-cc/Dockerfile b/scripts/azure-cc/Dockerfile index 742f63477..7a2880aa3 100644 --- a/scripts/azure-cc/Dockerfile +++ b/scripts/azure-cc/Dockerfile @@ -2,7 +2,7 @@ FROM eclipse-temurin@sha256:693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6 # Install necessary packages and set up virtual environment -RUN apk update && apk add --no-cache --upgrade libpng && apk add --no-cache jq python3 py3-pip && \ +RUN apk update && apk add --no-cache jq python3 py3-pip && \ python3 -m venv /venv && \ . /venv/bin/activate && \ pip install --no-cache-dir requests azure-identity azure-keyvault-secrets && \