fix: docker-ptf May vulnerability#27334
Conversation
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Pull request overview
This PR updates the docker-ptf image build to address reported security vulnerabilities by refreshing pinned toolchain components inside the container.
Changes:
- Bump the pinned Go toolchain version (and per-arch SHA256s) used to build
grpcurl/gnmicfrom source. - Add steps intended to upgrade
pipwithin the bundledinfluxdb3-corePython payload and remove olderpipdist-info metadata.
auspham
force-pushed
the
austinpham/37938782-elastictest-security-reolve
branch
from
5f9d79c to
70273e8
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: Austin Pham (agent) <austinpham@microsoft.com>
auspham
force-pushed
the
austinpham/37938782-elastictest-security-reolve
branch
from
70273e8 to
dab6f12
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azpw retry |
|
Retrying failed(or canceled) jobs... |
|
Retrying failed(or canceled) stages in build 1113150: ✅Stage Test:
|
ZhaohuiS
left a comment
ZhaohuiS
left a comment
There was a problem hiding this comment.
Three targeted security fixes: Go 1.25.9 to 1.25.10 with correct per-arch SHA256 hashes, pip remediation scoped to influxdb3-python's bundled Python 3.13 site-packages (not the host Python 3.11 env), and removing the apt version pin before the final dist-upgrade so Debian security patches for wireshark/libpng actually get pulled in. The pip cleanup logic correctly derives the newest dist-info from the target directory itself rather than relying on the host pip version.
|
Would this fix be able to fix Azure.sonic-buildimage (Test Trivy vulnerability scan (docker-ptf))Failing after 18m — Test Trivy vulnerabil or this check would still fail for some time? Also, what's the motivation to add this check on docker-ptf? docker-ptf would not be in production image, but a test helper docker only. Would it be worth to make this check? |
|
@eddieruan-alibaba no it can only fix Go & pip3 influxdb vulnerability. #27347 this will fix the remaining. Even if it's only for test purpose it's still required us to fix it from our side |
Why I did it
fix the current list of vulneralbity
Python (Pip) Security Update for pip (GHSA-jp4c-xjxw-mgf9)
Debian Security Update for wireshark (CVE-2026-6530)
Debian Security Update for wireshark (CVE-2026-5653)
Debian Security Update for wireshark (CVE-2026-5405)
Debian Security Update for wireshark (CVE-2026-6529)
Go (Go) Security Update for stdlib golang.org/x/net/http2 (GO-2026-4918)
Go (Go) Security Update for stdlib (GO-2026-4982)
Go (Go) Security Update for stdlib (GO-2026-4981)
Go (Go) Security Update for stdlib (GO-2026-4980)
Go (Go) Security Update for stdlib (GO-2026-4986)
Go (Go) Security Update for stdlib (GO-2026-4971)
Go (Go) Security Update for stdlib (GO-2026-4977)
Go (Go) Security Update for stdlib (GO-2026-4976)
Debian Security Update for libpng1.6 (CVE-2026-34757)
Python (Pip) Security Update for pip (GHSA-jp4c-xjxw-mgf9)
Work item tracking
How I did it
Update the related packages
How to verify it
Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
Description for the changelog
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)