From 586f688b513820d0afcc59a29a8d577ddd805add Mon Sep 17 00:00:00 2001 From: "linear-code[bot]" <222613912+linear-code[bot]@users.noreply.github.com> Date: Tue, 14 Jul 2026 13:41:13 +0000 Subject: [PATCH 1/2] fix: pin curl to 8.20.0-r0 in Docker image to address CVE-2026-6253 curl/libcurl 8.19.0-r0 in the runner image are vulnerable to CVE-2026-6253 (proxy credential disclosure via redirects to unauthenticated proxies), fixed in 8.20.0-r0. The runner stage already runs `apk upgrade --no-cache`, but the build uses the GitHub Actions layer cache, so rebuilds reused the stale `apk add`/`apk upgrade` layer containing the vulnerable version. Pinning `curl>=8.20.0-r0` invalidates that layer's cache key so rebuilds pull the patched curl (and its libcurl dependency). Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1505/sourcebot-devsourcebot-cve-2026-6253-curl-curl-proxy-credential#agent-session-9dfcc259) Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com> --- CHANGELOG.md | 3 +++ Dockerfile | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c1df382b6..a08f39e76 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Fixed +- Upgraded `curl`/`libcurl` in the Docker image to `8.20.0-r0` to address CVE-2026-6253. [#1442](https://github.com/sourcebot-dev/sourcebot/pull/1442) + ## [5.1.1] - 2026-07-14 - Add book a call button to sidebar. [#1441](https://github.com/sourcebot-dev/sourcebot/pull/1441) diff --git a/Dockerfile b/Dockerfile index 4a1b016c7..f7f24dbd0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -166,7 +166,10 @@ ENV SOURCEBOT_LOG_LEVEL=info # ENV SOURCEBOT_TELEMETRY_DISABLED=1 # Configure dependencies -RUN apk add --no-cache git ca-certificates bind-tools tini jansson wget supervisor uuidgen curl perl jq openssl util-linux unzip && \ +# curl/libcurl are pinned to the patched version for CVE-2026-6253 (proxy +# credential disclosure). The explicit pin also invalidates the build cache so +# rebuilds pick up the fix rather than reusing a stale layer. +RUN apk add --no-cache git ca-certificates bind-tools tini jansson wget supervisor uuidgen "curl>=8.20.0-r0" perl jq openssl util-linux unzip && \ apk upgrade --no-cache # Remove npm (unused — we use Yarn). The Node.js base image bundles npm From a176678d79a935448f747f2a843ced36fee6a092 Mon Sep 17 00:00:00 2001 From: "linear-code[bot]" <222613912+linear-code[bot]@users.noreply.github.com> Date: Tue, 14 Jul 2026 13:41:38 +0000 Subject: [PATCH 2/2] chore: fix changelog PR link Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com> --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a08f39e76..a157389cf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] ### Fixed -- Upgraded `curl`/`libcurl` in the Docker image to `8.20.0-r0` to address CVE-2026-6253. [#1442](https://github.com/sourcebot-dev/sourcebot/pull/1442) +- Upgraded `curl`/`libcurl` in the Docker image to `8.20.0-r0` to address CVE-2026-6253. [#1451](https://github.com/sourcebot-dev/sourcebot/pull/1451) ## [5.1.1] - 2026-07-14