Fix CVE-2026-22184 and auto-track base image tags in digest workflow#21333
Merged
Fix CVE-2026-22184 and auto-track base image tags in digest workflow#21333
Conversation
This ensures the zlib package is updated from 1.3.1-r2 to 1.3.2-r0, fixing CVE-2026-22184 detected by the daily vulnerability scan. Co-authored-by: Ona <no-reply@ona.com>
geropl
force-pushed
the
fix-cve-2026-22184-zlib-upgrade
branch
from
3167f05 to
f4d28cf
Compare
The daily update-image-digest workflow only updated images pinned with @sha256: digests. Dockerfiles using tag-based references like node:22.22.0-alpine or caddy/caddy:2.11-alpine were not tracked, causing them to go stale and accumulate vulnerabilities. Add a new step that uses crane ls to find the latest patch release for tracked base images (node, caddy/caddy) and updates FROM lines in Dockerfiles accordingly. Co-authored-by: Ona <no-reply@ona.com>
geropl
changed the title
corneliusludmann
approved these changes
Mar 9, 2026
Base image tags (node:22.22.1-alpine, caddy/caddy:2.11.2-alpine) still ship zlib 1.3.1-r2. The fix (1.3.2-r0) is available in Alpine repos but the upstream images haven't been rebuilt yet. Running apk upgrade in the Dockerfile ensures the fix is picked up at build time regardless. This matches the existing pattern in ide-proxy and proxy Dockerfiles. Co-authored-by: Ona <no-reply@ona.com>
geropl
added a commit
that referenced
this pull request
Mar 9, 2026
Same fix as the other Caddy-based images (dashboard, ide-proxy) from #21333. The proxy Dockerfile was missed in that PR. Together with the existing apk upgrade --no-cache, this resolves CVE-2026-22184 (zlib 1.3.1-r2 -> 1.3.2-r0). Co-authored-by: Ona <no-reply@ona.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
The daily vulnerability scan on
main(build run) reported a critical vulnerability (CVE-2026-22184, zlib 1.3.1-r2) across 6 Docker images. The root cause: Dockerfiles referenced stale base image tags, and the existingupdate-image-digestworkflow only tracked@sha256:-pinned images — not tag-based references likenode:22.22.0-alpine.Resolves CLC-2227
Changes
Bump base image tags
Bump
node:22.22.0-alpine→node:22.22.1-alpineandcaddy/caddy:2.11-alpine→caddy/caddy:2.11.2-alpinein 4 Dockerfiles (server, gitpod-db, ws-manager-bridge, dashboard). The updated Alpine packages include zlib 1.3.2-r0, fixing CVE-2026-22184. The remaining 2 images (ide-proxy, proxy) already hadapk upgrade --no-cacheand will pick up the fix on next build.Prevent future staleness:
update-image-digest.ymlAdd a new "Update base image tags in Dockerfiles" step to the daily workflow. It uses
crane ls+sort -Vto find the latest patch release for tracked base images and updatesFROMlines accordingly.Currently tracked patterns:
node:22.22.X-alpinenode:22.22.Xcaddy/caddy:2.11[.X]-alpineNew base images that should be auto-updated require adding an entry to the
TRACKED_IMAGESarray. This is intentional — explicit tracking avoids accidentally bumping images that need manual validation (e.g., major/minor versions, or LTS tags likeubuntu:22.04).Verification