Skip to content

chore: pin curl to ^8.20.0-r0 to address CVE-2026-6429#1448

Draft
linear-code[bot] wants to merge 2 commits into
mainfrom
linear/sou-1507-sourcebot-devsourcebot-cve-2026-6429-curl-libcurl-f9ea
Draft

chore: pin curl to ^8.20.0-r0 to address CVE-2026-6429#1448
linear-code[bot] wants to merge 2 commits into
mainfrom
linear/sou-1507-sourcebot-devsourcebot-cve-2026-6429-curl-libcurl-f9ea

Conversation

@linear-code

@linear-code linear-code Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Fixes SOU-1507

Trivy flagged curl/libcurl 8.19.0-r0 in the runner image for CVE-2026-6429 (credential leak via a reused proxy connection during HTTP redirects), fixed in 8.20.0-r0.

The runner stage already runs apk upgrade --no-cache, and 8.20.0-r0 is now published for Alpine 3.23. However, the GitHub Actions build cache (cache-from/cache-to in _build.yml) serves the stale apk layer, so the upgrade never re-runs. Pinning curl>=8.20.0-r0 in the apk add line invalidates that layer's cache and guarantees the patched version is installed (libcurl is versioned in lockstep with curl, so it's pulled at 8.20.0-r0 as well).

linear-code Bot added 2 commits July 14, 2026 13:40
Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants