diff --git a/Dockerfile b/Dockerfile index 8b244ed..095077b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -36,6 +36,7 @@ RUN apt-get update && apt-get install -y \ curl \ gcc \ g++ \ + && apt-get install -y --only-upgrade libssh2-1t64 \ && rm -rf /var/lib/apt/lists/* # Disable strict host key checking for container diff --git a/Dockerfile.gpu b/Dockerfile.gpu index 3a9f1d6..0dd2f82 100644 --- a/Dockerfile.gpu +++ b/Dockerfile.gpu @@ -18,7 +18,12 @@ RUN uv sync --python 3.12 --no-dev --group code-search --no-install-workspace FROM debian:bookworm-slim COPY --from=ghcr.io/astral-sh/uv:0.9.6 /uv /uvx /bin/ -RUN apt-get update && apt-get install -y git curl libgomp1 && rm -rf /var/lib/apt/lists/* +# Deterministically clear libssh2 CVE-2026-55200 (PLAT-1259). Final stage is +# debian:bookworm-slim (Debian 12), where the package is libssh2-1 (not the +# trixie t64 name used in Dockerfile/Dockerfile.slim). +RUN apt-get update && apt-get install -y git curl libgomp1 \ + && apt-get install -y --only-upgrade libssh2-1 \ + && rm -rf /var/lib/apt/lists/* RUN uv python install 3.12 # Copy CUDA runtime libs from the builder (only what llama-cpp needs at runtime) diff --git a/Dockerfile.slim b/Dockerfile.slim index 522c4fd..06f3c58 100644 --- a/Dockerfile.slim +++ b/Dockerfile.slim @@ -1,7 +1,12 @@ FROM python:3.12-slim COPY --from=ghcr.io/astral-sh/uv:0.9.6 /uv /uvx /bin/ -RUN apt-get update && apt-get install -y git curl && rm -rf /var/lib/apt/lists/* +# Explicitly upgrade libssh2 (trixie t64 package) so CVE-2026-55200 is cleared +# deterministically, not only when the floating base already happens to carry the +# patched package (PLAT-1259). +RUN apt-get update && apt-get install -y git curl \ + && apt-get install -y --only-upgrade libssh2-1t64 \ + && rm -rf /var/lib/apt/lists/* WORKDIR /app diff --git a/RELEASE.md b/RELEASE.md index 139de25..58b5817 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -10,6 +10,17 @@ rename the `[Unreleased]` heading to the new `## vX.Y.Z` and bump ## [Unreleased] +## v0.2.4 + +### Security + +- Clear a CRITICAL container-image vulnerability flagged by Security Command Center — + `libssh2` CVE-2026-55200 (CVSS 8.1, exploit available), an OS base-layer package. + Rebuilds on `python:3.12-slim` and **explicitly upgrades `libssh2`** so the fix is + deterministic rather than dependent on the floating base snapshot. Also bumps + `uv.lock` to `0.2.4` so `uv sync --locked` stays reproducible. No application changes. + (PLAT-1259) + ### Fixed - Startup no longer silently degrades to a token-tools-only catalog when the diff --git a/pyproject.toml b/pyproject.toml index 42fcb2a..50ece72 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "openfilter-mcp" -version = "0.2.3" +version = "0.2.4" requires-python = ">=3.10,<3.13" dependencies = [ "fastmcp>=2.13.1", diff --git a/uv.lock b/uv.lock index 907e467..bae894f 100644 --- a/uv.lock +++ b/uv.lock @@ -1591,7 +1591,7 @@ wheels = [ [[package]] name = "openfilter-mcp" -version = "0.2.3" +version = "0.2.4" source = { editable = "." } dependencies = [ { name = "fastmcp" },