Skip to content

fix: pin curl to 8.20.0-r0 in Docker image to address CVE-2026-6253#1451

Draft
linear-code[bot] wants to merge 2 commits into
mainfrom
linear/sou-1505-sourcebot-devsourcebot-cve-2026-6253-curl-curl-proxy-a5ac
Draft

fix: pin curl to 8.20.0-r0 in Docker image to address CVE-2026-6253#1451
linear-code[bot] wants to merge 2 commits into
mainfrom
linear/sou-1505-sourcebot-devsourcebot-cve-2026-6253-curl-curl-proxy-a5ac

Conversation

@linear-code

@linear-code linear-code Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Fixes SOU-1505

curl/libcurl 8.19.0-r0 in the runner image are vulnerable to CVE-2026-6253 (proxy credential disclosure via redirects to unauthenticated proxies), fixed upstream in 8.20.0-r0 (now published in Alpine 3.23 main).

The runner stage already runs apk upgrade --no-cache, but the CI build uses the GitHub Actions layer cache (cache-from/to: type=gha), so rebuilds reused the stale apk add/apk upgrade layer that still contained the vulnerable version. Pinning curl>=8.20.0-r0 changes the RUN instruction, invalidating that layer's cache key so rebuilds pull the patched curl (and its libcurl dependency).

linear-code Bot added 2 commits July 14, 2026 13:41
curl/libcurl 8.19.0-r0 in the runner image are vulnerable to
CVE-2026-6253 (proxy credential disclosure via redirects to
unauthenticated proxies), fixed in 8.20.0-r0.

The runner stage already runs `apk upgrade --no-cache`, but the build
uses the GitHub Actions layer cache, so rebuilds reused the stale
`apk add`/`apk upgrade` layer containing the vulnerable version.
Pinning `curl>=8.20.0-r0` invalidates that layer's cache key so
rebuilds pull the patched curl (and its libcurl dependency).

Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1505/sourcebot-devsourcebot-cve-2026-6253-curl-curl-proxy-credential#agent-session-9dfcc259)

Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants