From 28d67959c9a5a21032d5291da6e8941a9d2488b2 Mon Sep 17 00:00:00 2001 From: "linear-code[bot]" <222613912+linear-code[bot]@users.noreply.github.com> Date: Tue, 14 Jul 2026 13:40:41 +0000 Subject: [PATCH 1/2] fix: upgrade curl/libcurl to 8.20.0-r0 to address CVE-2026-7009 Certificate Status Request TLS extension (OCSP stapling) certificate validation bypass. Alpine 3.23 ships the patched curl/libcurl 8.20.0-r0; the runner stage's apk upgrade now upgrades them explicitly. Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1508/sourcebot-devsourcebot-cve-2026-7009-curl-curl-certificate-validation#agent-session-cad35e10) Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com> --- CHANGELOG.md | 3 +++ Dockerfile | 6 +++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c1df382b6..8b6ebf26c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Fixed +- Upgraded `curl`/`libcurl` in the Docker image to `8.20.0-r0` to address CVE-2026-7009. [#1442](https://github.com/sourcebot-dev/sourcebot/pull/1442) + ## [5.1.1] - 2026-07-14 - Add book a call button to sidebar. [#1441](https://github.com/sourcebot-dev/sourcebot/pull/1441) diff --git a/Dockerfile b/Dockerfile index 4a1b016c7..35864fbe1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -165,8 +165,12 @@ ENV SOURCEBOT_LOG_LEVEL=info # Sourcebot collects anonymous usage data using [PostHog](https://posthog.com/). Uncomment this line to disable. # ENV SOURCEBOT_TELEMETRY_DISABLED=1 -# Configure dependencies +# Configure dependencies. +# `apk upgrade --no-cache` pulls patched versions of all base packages. curl and +# libcurl are upgraded explicitly to ensure the image includes the fix for +# CVE-2026-7009 (OCSP stapling certificate validation bypass, fixed in 8.20.0-r0). RUN apk add --no-cache git ca-certificates bind-tools tini jansson wget supervisor uuidgen curl perl jq openssl util-linux unzip && \ + apk upgrade --no-cache curl libcurl && \ apk upgrade --no-cache # Remove npm (unused — we use Yarn). The Node.js base image bundles npm From 7a1f4c7938bcee47637f4c69e7c433258b628485 Mon Sep 17 00:00:00 2001 From: "linear-code[bot]" <222613912+linear-code[bot]@users.noreply.github.com> Date: Tue, 14 Jul 2026 13:41:13 +0000 Subject: [PATCH 2/2] chore: correct CHANGELOG PR link to #1450 Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1508/sourcebot-devsourcebot-cve-2026-7009-curl-curl-certificate-validation#agent-session-cad35e10) Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com> --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b6ebf26c..3e8c7556b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] ### Fixed -- Upgraded `curl`/`libcurl` in the Docker image to `8.20.0-r0` to address CVE-2026-7009. [#1442](https://github.com/sourcebot-dev/sourcebot/pull/1442) +- Upgraded `curl`/`libcurl` in the Docker image to `8.20.0-r0` to address CVE-2026-7009. [#1450](https://github.com/sourcebot-dev/sourcebot/pull/1450) ## [5.1.1] - 2026-07-14