Skip to content

ROB-626: rebuild on fresh base to fix libcrypto3/openssl CVEs#114

Open
Avi-Robusta wants to merge 1 commit into
masterfrom
avi/rob-626-cve-kubewatch
Open

ROB-626: rebuild on fresh base to fix libcrypto3/openssl CVEs#114
Avi-Robusta wants to merge 1 commit into
masterfrom
avi/rob-626-cve-kubewatch

Conversation

@Avi-Robusta

Copy link
Copy Markdown
Contributor

Sub-issue ROB-626 of ROB-595. Fixes the base-image openssl/libcrypto3 CVEs flagged for devel/kubewatch in the 2026-07-14 Vanta scan.

Fix

The vulnerable libcrypto3/libssl3 come from the cgr.dev/chainguard/bash runtime base. A fresh --pull rebuild picks up the patched base (libcrypto3 → 3.6.2-r5+), clearing:
CVE-2026-34180/34181/34182/34183/42764/42765/45445/45447/7383/9076.

Also switched the Go builder to cross-compilation (FROM --platform=$BUILDPLATFORM golang + GOARCH=$TARGETARCH) so multi-arch (amd64+arm64) builds don't run the Go compiler under QEMU emulation — which was crashing with a nil-pointer panic when building amd64 on an arm64 host.

Validation

Built multi-arch and pushed devel/kubewatch:v2.15.0-cve20260714; docker scout re-checked for the target CVEs (see PR checks / ticket). Deploying to avi-test-cluster2 forwarders.

🤖 Generated with Claude Code

The runtime CVEs come from the chainguard/bash base image (libcrypto3/libssl3).
A fresh --pull rebuild picks up the patched base. Also switch the Go builder to
cross-compilation (FROM --platform=$BUILDPLATFORM + GOARCH=$TARGETARCH) so
multi-arch (amd64+arm64) builds don't run the Go compiler under QEMU emulation,
which was crashing.

Fixes CVE-2026-34180/34181/34182/34183/42764/42765/45445/45447/7383/9076.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant