From fd3aa5a8e73fd48818fa4f447ea51e03fb5b1b91 Mon Sep 17 00:00:00 2001 From: "linear-code[bot]" <222613912+linear-code[bot]@users.noreply.github.com> Date: Tue, 14 Jul 2026 13:39:30 +0000 Subject: [PATCH 1/2] fix: pin curl/libcurl to >=8.20.0-r0 to address CVE-2026-5773 Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1504/sourcebot-devsourcebot-cve-2026-5773-curl-libcurl-wrong-file-transfer#agent-session-c22e8539) Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com> --- Dockerfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 4a1b016c7..56fc7630d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -166,7 +166,10 @@ ENV SOURCEBOT_LOG_LEVEL=info # ENV SOURCEBOT_TELEMETRY_DISABLED=1 # Configure dependencies -RUN apk add --no-cache git ca-certificates bind-tools tini jansson wget supervisor uuidgen curl perl jq openssl util-linux unzip && \ +# curl/libcurl are pinned to >=8.20.0-r0 to address CVE-2026-5773 (incorrect SMB +# connection reuse). Pinning also busts the layer cache so `apk upgrade` re-runs +# and pulls the patched Alpine packages. +RUN apk add --no-cache git ca-certificates bind-tools tini jansson wget supervisor uuidgen "curl>=8.20.0-r0" "libcurl>=8.20.0-r0" perl jq openssl util-linux unzip && \ apk upgrade --no-cache # Remove npm (unused — we use Yarn). The Node.js base image bundles npm From 0596bec8def495239ccaed6860221171b02890ab Mon Sep 17 00:00:00 2001 From: "linear-code[bot]" <222613912+linear-code[bot]@users.noreply.github.com> Date: Tue, 14 Jul 2026 13:39:56 +0000 Subject: [PATCH 2/2] docs: add CHANGELOG entry for CVE-2026-5773 fix Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1504/sourcebot-devsourcebot-cve-2026-5773-curl-libcurl-wrong-file-transfer#agent-session-c22e8539) Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com> --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c1df382b6..1fc60ce10 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Fixed +- Pinned `curl`/`libcurl` to `^8.20.0-r0` in the Docker image to address CVE-2026-5773. [#1447](https://github.com/sourcebot-dev/sourcebot/pull/1447) + ## [5.1.1] - 2026-07-14 - Add book a call button to sidebar. [#1441](https://github.com/sourcebot-dev/sourcebot/pull/1441)