docker: upgrade libcrypto3/libssl3 to clear Trivy HIGH (CVE-2026-28390) (#9059)

* docker: upgrade libcrypto3/libssl3 to clear Trivy HIGH Trivy gate on ghcr.io/seaweedfs/seaweedfs:latest-amd64 flagged CVE-2026-28390 in libcrypto3 3.5.5-r0 (fixed in 3.5.6-r0) on the alpine 3.23.3 base. Add libcrypto3/libssl3 to the existing apk upgrade so rebuilt images pick up the patched openssl without waiting for a new alpine base tag. * docker: apk add libcrypto3/libssl3 so they install at patched version Per review, apk upgrade <pkg> is a no-op when the package isn't already installed. libcrypto3/libssl3 come in transitively via curl, so list them in apk add to guarantee installation at the latest (patched) version from the alpine repo.
2026-05-14 05:41:29 +00:00 · 2026-04-13 15:34:11 -07:00
parent ef77df6141
commit 8f2a3d92bb
1 changed files with 1 additions and 1 deletions
--- a/docker/Dockerfile.go_build
+++ b/docker/Dockerfile.go_build
@@ -57,7 +57,7 @@ COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh

 # Install dependencies and create non-root user
 RUN apk upgrade --no-cache zlib && \
-    apk add --no-cache fuse curl su-exec libgcc && \
+    apk add --no-cache fuse curl su-exec libgcc libcrypto3 libssl3 && \
    addgroup -g 1000 seaweed && \
    adduser -D -u 1000 -G seaweed seaweed