From 8f2a3d92bb51bbac5783f8e33a4bb65e0bb51007 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Mon, 13 Apr 2026 15:34:11 -0700 Subject: [PATCH] docker: upgrade libcrypto3/libssl3 to clear Trivy HIGH (CVE-2026-28390) (#9059) * docker: upgrade libcrypto3/libssl3 to clear Trivy HIGH Trivy gate on ghcr.io/seaweedfs/seaweedfs:latest-amd64 flagged CVE-2026-28390 in libcrypto3 3.5.5-r0 (fixed in 3.5.6-r0) on the alpine 3.23.3 base. Add libcrypto3/libssl3 to the existing apk upgrade so rebuilt images pick up the patched openssl without waiting for a new alpine base tag. * docker: apk add libcrypto3/libssl3 so they install at patched version Per review, apk upgrade is a no-op when the package isn't already installed. libcrypto3/libssl3 come in transitively via curl, so list them in apk add to guarantee installation at the latest (patched) version from the alpine repo. --- docker/Dockerfile.go_build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile.go_build b/docker/Dockerfile.go_build index 1f7777d72..34c0ab56a 100644 --- a/docker/Dockerfile.go_build +++ b/docker/Dockerfile.go_build @@ -57,7 +57,7 @@ COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh # Install dependencies and create non-root user RUN apk upgrade --no-cache zlib && \ - apk add --no-cache fuse curl su-exec libgcc && \ + apk add --no-cache fuse curl su-exec libgcc libcrypto3 libssl3 && \ addgroup -g 1000 seaweed && \ adduser -D -u 1000 -G seaweed seaweed