Skip to content

fix: [CI-22510]: remediate 13 CVEs in drone-git rootless images#130

Open
vinayakharness2026 wants to merge 2 commits into
wings-software:masterfrom
vinayakharness2026:fix/vuln-remediation-CI-22510
Open

fix: [CI-22510]: remediate 13 CVEs in drone-git rootless images#130
vinayakharness2026 wants to merge 2 commits into
wings-software:masterfrom
vinayakharness2026:fix/vuln-remediation-CI-22510

Conversation

@vinayakharness2026
Copy link
Copy Markdown

@vinayakharness2026 vinayakharness2026 commented May 4, 2026
edited by atlassian Bot
Loading

Summary

Remediate all 13 CVEs reported in CI-22510 for harnesssecure/drone-git:1.7.17-rootless.

⚠️ Potentially Breaking Change

This PR changes how git-lfs is installed. Previously, a pre-built binary was downloaded from the git-lfs GitHub releases. Now it is built from source (same version v3.7.1) using Go 1.25.9 to resolve Go stdlib CVEs that the pre-built binary ships with (Go 1.25.3).

The git-lfs version and functionality are identical, but the binary is compiled differently. Please test git-lfs operations thoroughly (clone, pull, push with LFS objects) before merging.

Why this is necessary: upstream git-lfs v3.7.1 ships with Go 1.25.3 and no newer release exists. The 5 Go stdlib CVEs cannot be fixed without recompiling.

Changes

File Change
go.mod Go 1.25.8 → 1.25.9
docker/Dockerfile.rootless.linux.amd64 Multi-stage build: compile git-lfs from source with Go 1.25.9 + x/crypto v0.49.0; explicit microdnf update for OS packages
docker/Dockerfile.rootless.linux.amd64.rf Same
docker/Dockerfile.rootless.linux.arm64.rf Same

Scan Results (OnDemand Vulnerability Scanner)

Test image: vinayakharness/drone-git-test:drone-git-1.7.18--debug

Severity Before (1.7.17-rootless) After (test build) Delta
Critical 1 0 -1
High 74 0 -74
Medium 2627 0 -2627
Low 1540 0 -1540
Total 4242 0 -4242

All 13 CVEs Resolved

OS-level packages (8 CVEs) — via microdnf update

CVE Package Fixed Version
CVE-2026-25679 go-rpm-macros 3.6.0-14.el9_7
CVE-2026-27135 nghttp2 1.43.0-6.el9_7.1
CVE-2026-3497 openssh 8.7p1-48.el9_7
CVE-2026-35385 openssh latest available
CVE-2026-40356 krb5 latest available
CVE-2026-4424 libarchive 3.5.3-9.el9_7
CVE-2026-4519 python3.9 3.9.25-3.el9_7.2+
CVE-2026-4786 python3.9 3.9.25-3.el9_7.3
CVE-2026-6100 python3.9 3.9.25-3.el9_7.3

Go stdlib in git-lfs (5 CVEs) — via source build with Go 1.25.9

CVE Package
CVE-2025-61726 net/url
CVE-2025-61729 crypto/x509
CVE-2026-25679 net/url
CVE-2026-32280 crypto/x509
CVE-2026-32283 crypto/tls

Test Plan

  • Build the image and verify git lfs version outputs v3.7.1
  • Test git lfs clone, git lfs pull, git lfs push with actual LFS objects
  • Run Trivy scan on built image — verify all 13 CVEs are gone
  • Verify standard git clone operations are unaffected
  • Smoke test in a CI pipeline with LFS-enabled repo

🤖 Generated with Claude Code

@vinayakharness2026 @claude
fix: [CI-22510]: update OS packages to remediate 8 CVEs in drone-git …
8bae6b4 
…rootless images

Explicitly update vulnerable OS packages (openssh, nghttp2, libarchive,
python3, krb5-libs) to pick up security fixes. The 5 Go stdlib CVEs in
git-lfs are deferred until upstream releases a build with Go >= 1.25.9.

Resolved CVEs (OS-level):
- CVE-2026-25679 (go-rpm-macros)
- CVE-2026-27135 (nghttp2)
- CVE-2026-3497  (openssh)
- CVE-2026-35385 (openssh)
- CVE-2026-40356 (krb5)
- CVE-2026-4424  (libarchive)
- CVE-2026-4519  (python3.9)
- CVE-2026-4786  (python3.9)
- CVE-2026-6100  (python3.9)

Deferred CVEs (Go stdlib in git-lfs, no upstream fix available):
- CVE-2025-61726 (net/url)
- CVE-2025-61729 (crypto/x509)
- CVE-2026-25679 (net/url)
- CVE-2026-32280 (crypto/x509)
- CVE-2026-32283 (crypto/tls)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vinayakharness2026 vinayakharness2026 force-pushed the fix/vuln-remediation-CI-22510 branch from f2d7a43 to 8bae6b4 Compare May 7, 2026 08:24
@vinayakharness2026 vinayakharness2026 changed the title fix: [CI-22510]: remediate 13 CVEs in drone-git rootless images fix: [CI-22510]: update OS packages to remediate CVEs in drone-git rootless images May 7, 2026
@vinayakharness2026 @claude
fix: [CI-22510]: build git-lfs from source with Go 1.25.9 to resolve …
9e27109 
…remaining 5 Go stdlib CVEs

⚠️ POTENTIALLY BREAKING: This changes how git-lfs is installed — from
downloading a pre-built binary to building from source (v3.7.1) with
Go 1.25.9. Same git-lfs version, but different build. Please verify
git-lfs operations (clone, pull, push) thoroughly before merging.

This resolves the remaining 5 Go stdlib CVEs that could not be fixed
by OS package updates alone:
- CVE-2025-61726 (net/url)
- CVE-2025-61729 (crypto/x509)
- CVE-2026-25679 (net/url)
- CVE-2026-32280 (crypto/x509)
- CVE-2026-32283 (crypto/tls)

Also upgrades x/crypto to v0.49.0 in the git-lfs build.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vinayakharness2026 vinayakharness2026 changed the title fix: [CI-22510]: update OS packages to remediate CVEs in drone-git rootless images fix: [CI-22510]: remediate 13 CVEs in drone-git rootless images May 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vinayakharness2026