Skip to content

Commit c893c39

Browse files
swibi-ttdclaude
andcommitted
UID2-7335: upgrade libexpat (expat) to patch CVE-2026-45186
Adds the Alpine expat package to the apk --no-cache --upgrade step so libexpat is bumped to 2.8.1-r0 at build time, clearing the HIGH-severity DoS-via-crafted-XML finding (CVE-2026-45186). Bumping the pinned base image SHA is insufficient: the latest 21-jre-alpine-3.23 image still ships libexpat 2.7.4-r0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent a783b19 commit c893c39

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ COPY ./target/${JAR_NAME}-${JAR_VERSION}-sources.jar /app
1616
COPY ./conf/default-config.json /app/conf/
1717
COPY ./conf/*.xml /app/conf/
1818

19-
RUN apk add --no-cache --upgrade libpng libcrypto3 libssl3 musl musl-utils gnutls && adduser -D uid2-core && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads && mkdir -p /app/pod_terminating && chmod 777 -R /app/pod_terminating
19+
RUN apk add --no-cache --upgrade libpng libcrypto3 libssl3 musl musl-utils gnutls expat && adduser -D uid2-core && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads && mkdir -p /app/pod_terminating && chmod 777 -R /app/pod_terminating
2020
USER uid2-core
2121

2222
CMD java \

0 commit comments

Comments
 (0)