Skip to content

fix(rds): apt-get upgrade base packages to clear stale CVE patches#824

Merged
vieiralucas merged 1 commit intomainfrom
worktree-postgres-apt-upgrade
Apr 28, 2026
Merged

fix(rds): apt-get upgrade base packages to clear stale CVE patches#824
vieiralucas merged 1 commit intomainfrom
worktree-postgres-apt-upgrade

Conversation

@vieiralucas
Copy link
Copy Markdown
Member

@vieiralucas vieiralucas commented Apr 28, 2026
edited by cubic-dev-ai Bot
Loading

Summary

  • Second supply-chain validation (run 25063842355) flagged 35 HIGH/CRITICAL CVEs against postgres:13 only — openssl 3.5.1, glibc 2.41-12, dirmngr 2.4.7-21+b3 — all with fixes already in Debian 13.
  • The upstream postgres:<major> tag refresh cadence can lag the security DB by a cycle, so an in-build apt-get upgrade pulls the patched packages directly instead of waiting on Docker Inc to re-publish.
  • Same change applied to mysql + mariadb Dockerfiles so a future drift on those base tags does not block the next release.

Test plan

  • PR CI green (paths-filtered dry-run build for all 8 engine×version × 2 arch combos)
  • Cubic clean
  • After merge: re-run workflow_dispatch on RDS support images, confirm all 8 scans exit 0
  • Then proceed to v0.13.2 release tag

Summary by cubic

Run apt-get upgrade in RDS base Dockerfiles to pull patched Debian packages and clear stale CVE findings. Fixes Trivy HIGH/CRITICAL issues on postgres:13 and prevents future drift for mysql and mariadb.

  • Bug Fixes
    • Added apt-get upgrade -y --no-install-recommends before installs in postgres, mysql, and mariadb Dockerfiles.
    • Addresses Trivy findings on postgres:13 (openssl 3.5.1, glibc 2.41-12, dirmngr 2.4.7-21+b3) by pulling Debian 13 patched packages at build time.

Written for commit 2c78144. Summary will update on new commits. Review in cubic

@vieiralucas
fix(rds): apt-get upgrade base image packages to clear stale CVE patches
2c78144 
The first post-fix supply-chain validation showed only postgres:13
flagged 35 (HIGH+CRITICAL) Trivy findings — openssl 3.5.1, glibc
2.41-12, dirmngr — all of which already have patched versions on
the same Debian 13 release. The upstream `postgres:<major>` tags
sometimes lag by a security DB cycle, so we run `apt-get upgrade`
during image build to pull the patched packages directly.

Apply the same to mysql + mariadb so future stale upstream releases
do not block the next supply-chain validation.
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 3 files

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 28, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@vieiralucas vieiralucas merged commit 4a96aa1 into main Apr 28, 2026
76 of 79 checks passed
@vieiralucas vieiralucas deleted the worktree-postgres-apt-upgrade branch April 28, 2026 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vieiralucas