Skip to content

chore(kiloclaw): Image Updates for CVEs#4373

Open
St0rmz1 wants to merge 1 commit into
mainfrom
chore/kiloclaw-image-cve-hardening
Open

chore(kiloclaw): Image Updates for CVEs#4373
St0rmz1 wants to merge 1 commit into
mainfrom
chore/kiloclaw-image-cve-hardening

Conversation

@St0rmz1

@St0rmz1 St0rmz1 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

Reduce the fixable CVE surface of the KiloClaw image by bumping the pinned Go
tools and refreshing the base apt layer. The main change is updating gogcli from
v0.14.0 to v0.31.1 (and pointing at its current repo, github.com/openclaw/gogcli),
which replaces the vulnerable bundled golang.org/x/crypto with a patched version
and clears the Critical CVEs it carried. The apt cache-bust is refreshed so the
image also picks up the latest chromium, gh, and 1password-cli.

Changes

  • Update gogcli to v0.31.1 and switch the download URL to
    github.com/openclaw/gogcli. The repo moved from steipete/gogcli; the old URL
    only resolved via a redirect.
  • Bump the go install tools: goplaces v0.3.0 to v0.4.3, blogwatcher v0.0.2 to
    v0.0.3, xurl v1.1.0 to v1.2.2, gifgrep v0.2.3 to v0.3.0.
  • Bump APT_CACHE_BUST from 2026-05-08 to 2026-07-02 to refresh chromium, gh,
    1password-cli, and base apt security updates, and update the adjacent comment.

Verification

Local services/kiloclaw/scripts/tests/openclaw-upgrade-validate.sh runs:

  • Keyless phase: 12 passed / 0 failed (image build, Dockerfile patch guards,
    config-shape checks).
  • grype before/after: Critical 123 to 120, High 378 to 369, total 1604 to
    1583. gog.real now embeds golang.org/x/crypto@v0.53.0 (was the vulnerable
    v0.50.0).
  • Credentialed live smoke: the candidate image passed every check, including
    the live Auto Free gateway turn and the kilocode provider-load and vision
    checks. A baseline-image live turn failed on a transient free-tier rate limit,
    unrelated to this change (the candidate turn passed).
  • Confirmed gogcli v0.31.1 still exposes the CLI the controller calls
    (gog gmail watch renew --account, plus the gmail/drive/docs/sheets commands
    the shim routes).

Visual Changes

N/A

Reviewer Notes

  • gogcli jumped several minor versions (v0.14.0 to v0.31.1) because its repo
    moved to the openclaw org and had not been bumped in a while. The Gmail tool
    (gog) is not exercised by the smoke, so its CLI compatibility was checked
    manually against the controller's usage.
  • Most of the image's remaining Critical/High CVEs are not fixable by a version
    bump right now: chromium (no fixed version available in trixie for the flagged
    CVEs), the 1Password CLI (op, a vendor binary built on an older Go stdlib), and
    Debian base packages (perl, python, mbedtls). Those are tracked separately.
  • No application or controller code changed. The diff is limited to
    services/kiloclaw/Dockerfile.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant