diff --git a/docker/seed/Dockerfile.csharp b/docker/seed/Dockerfile.csharp index 813c6d2a989f..4f671ef93464 100644 --- a/docker/seed/Dockerfile.csharp +++ b/docker/seed/Dockerfile.csharp @@ -119,12 +119,12 @@ RUN dotnet tool install -g csharpier --version "1.2.6" && \ ' > /dependencies.csproj && \ dotnet restore /dependencies.csproj && \ rm /dependencies.csproj && \ - # The /dependencies.csproj restore pulls System.Net.Http 4.3.0 back into - # the NuGet cache via transitive resolution metadata, even though - # System.Net.Http is pinned to [4.3.4,) for actual use. The cached 4.3.0 - # package contains the netstandard1.x reference assembly (CVE-2018-8292) - # and is only kept around for graph resolution -- safe to remove - # post-restore. - rm -rf /root/.nuget/packages/system.net.http/4.3.0 + # Drop System.Net.Http 4.3.0 (CVE-2018-8292): the cached package and any + # transitive deps.json referencing it (e.g. JmesPath.Net.Parser 1.1.0's + # netstandard1.3 build). Runtime only loads the newer-TFM builds. + rm -rf /root/.nuget/packages/system.net.http/4.3.0 && \ + find /root/.nuget/packages -name '*.deps.json' \ + -exec grep -l '"System.Net.Http/4.3.0"' {} + 2>/dev/null \ + | xargs -r dirname | sort -u | xargs -r rm -rf ENTRYPOINT ["tail", "-f", "/dev/null"] diff --git a/docker/seed/Dockerfile.go b/docker/seed/Dockerfile.go index f8f67492aafe..94a6955c39a3 100644 --- a/docker/seed/Dockerfile.go +++ b/docker/seed/Dockerfile.go @@ -16,20 +16,28 @@ RUN apk add --no-cache curl && \ FROM golang:1.26.3-alpine3.23 AS overlay-binaries ARG CONTAINERD_VERSION=2.3.0 ARG RUNC_VERSION=1.3.5 -ARG MOBY_VERSION=29.4.3 -ARG DOCKER_CLI_VERSION=29.4.3 +# moby v2.0.0-beta.12 (docker v29.5.0-rc.1) is past the v2.0.0-beta.8 +# upstream fix for CVE-2026-33997 / CVE-2026-34040. +ARG MOBY_VERSION=29.5.0-rc.1 +ARG DOCKER_CLI_VERSION=29.5.0-rc.1 ARG XNET_VERSION=0.53.0 ARG OTEL_SDK_VERSION=1.43.0 +ARG IN_TOTO_VERSION=0.11.0 ENV GOTOOLCHAIN=go1.26.3 RUN apk add --no-cache git make gcc musl-dev linux-headers libseccomp-dev libseccomp-static bash ca-certificates && \ mkdir -p /overlay/usr/local/bin +# Bump in-toto-golang to v0.11.0 (GHSA-pmwq-pjrm-6p5r) and pin the OTLP +# HTTP exporters to v${OTEL_SDK_VERSION} (CVE-2026-39882). RUN git clone --depth 1 --branch v${CONTAINERD_VERSION} https://github.com/containerd/containerd.git /src/containerd && \ cd /src/containerd && \ go get golang.org/x/net@v${XNET_VERSION} \ + github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \ go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \ - go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \ + go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \ go mod tidy && \ go mod vendor && \ for cmd in containerd ctr containerd-shim-runc-v2; do \ @@ -45,14 +53,15 @@ RUN git clone --depth 1 --branch v${RUNC_VERSION} https://github.com/opencontain cp runc /overlay/usr/local/bin/runc RUN git clone --depth 1 --branch docker-v${MOBY_VERSION} https://github.com/moby/moby.git /src/moby && \ cd /src/moby && \ - # Force the patched golang.org/x/net (HTTP/2 server header smuggling, - # CVE-2026-33814) and patched otel/sdk (CVE-2026-39883 PATH hijacking - # on BSD/Solaris) before vendoring + building dockerd/docker-proxy. + # Force patched x/net (CVE-2026-33814), otel SDK + OTLP HTTP exporters + # (CVE-2026-39882, CVE-2026-39883) before vendoring dockerd/docker-proxy. go get golang.org/x/net@v${XNET_VERSION} \ go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \ - go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \ + go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \ go mod tidy && \ go mod vendor && \ CGO_ENABLED=0 go build -mod=vendor \ @@ -106,6 +115,12 @@ RUN set -eux; \ && tar -C /usr/local -xzf "go${GO_VERSION}.linux-${GOARCH}.tar.gz" \ && rm "go${GO_VERSION}.linux-${GOARCH}.tar.gz" +# Go 1.26.3 ships the CVE-2026-33814 fix in h2_bundle.go but src/go.mod +# still pins x/net v0.47.1; bump SBOM files to v0.53.0 to match the code. +RUN sed -i 's|golang.org/x/net v0.47.1-[^ ]*|golang.org/x/net v0.53.0|' \ + /usr/local/go/src/go.mod /usr/local/go/src/vendor/modules.txt && \ + sed -i '/golang.org\/x\/net v0.47.1-/d' /usr/local/go/src/go.sum + ENV PATH="/usr/local/go/bin:${PATH}" \ GOPATH="/go" \ CGO_ENABLED=0 diff --git a/docker/seed/Dockerfile.php b/docker/seed/Dockerfile.php index f28eb5975090..071fade2eed6 100644 --- a/docker/seed/Dockerfile.php +++ b/docker/seed/Dockerfile.php @@ -16,21 +16,32 @@ FROM golang:1.26.3-alpine3.23 AS overlay-binaries ARG CONTAINERD_VERSION=2.3.0 ARG RUNC_VERSION=1.3.5 -ARG MOBY_VERSION=29.4.3 -ARG DOCKER_CLI_VERSION=29.4.3 +# moby v2.0.0-beta.12 (docker v29.5.0-rc.1) is past the v2.0.0-beta.8 +# upstream fix for CVE-2026-33997 / CVE-2026-34040. +ARG MOBY_VERSION=29.5.0-rc.1 +ARG DOCKER_CLI_VERSION=29.5.0-rc.1 ARG COMPOSE_VERSION=5.1.3 ARG XNET_VERSION=0.53.0 ARG OTEL_SDK_VERSION=1.43.0 +ARG IN_TOTO_VERSION=0.11.0 +# Latest 28.x backport of CVE-2026-33997/34040 (compose v5.1.3's legacy +# github.com/docker/docker indirect dep is frozen at v28.5.2). +ARG DOCKER_LEGACY_VERSION=v28.5.3-0.20260325154711-31a1689cb0a1+incompatible ENV GOTOOLCHAIN=go1.26.3 RUN apk add --no-cache git make gcc musl-dev linux-headers libseccomp-dev libseccomp-static bash ca-certificates && \ mkdir -p /overlay/usr/local/bin +# Bump in-toto-golang to v0.11.0 (GHSA-pmwq-pjrm-6p5r) and pin the OTLP +# HTTP exporters to v${OTEL_SDK_VERSION} (CVE-2026-39882). RUN git clone --depth 1 --branch v${CONTAINERD_VERSION} https://github.com/containerd/containerd.git /src/containerd && \ cd /src/containerd && \ go get golang.org/x/net@v${XNET_VERSION} \ + github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \ go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \ - go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \ + go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \ go mod tidy && \ go mod vendor && \ for cmd in containerd ctr containerd-shim-runc-v2; do \ @@ -46,14 +57,15 @@ cp runc /overlay/usr/local/bin/runc RUN git clone --depth 1 --branch docker-v${MOBY_VERSION} https://github.com/moby/moby.git /src/moby && \ cd /src/moby && \ - # Force the patched golang.org/x/net (HTTP/2 server header smuggling, - # CVE-2026-33814) and patched otel/sdk (CVE-2026-39883 PATH hijacking - # on BSD/Solaris) before vendoring + building dockerd/docker-proxy. + # Force patched x/net (CVE-2026-33814), otel SDK + OTLP HTTP exporters + # (CVE-2026-39882, CVE-2026-39883) before vendoring dockerd/docker-proxy. go get golang.org/x/net@v${XNET_VERSION} \ go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \ - go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \ + go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \ go mod tidy && \ go mod vendor && \ CGO_ENABLED=0 go build -mod=vendor \ @@ -76,23 +88,22 @@ -tags "osusergo netgo static_build pkcs11" \ -trimpath -ldflags "-s -w" \ -o /overlay/usr/local/bin/docker ./cmd/docker -# Rebuild docker-compose to clear golang.org/x/net <0.53 CVEs the upstream -# v5.1.3 prebuilt vendors. github.com/docker/docker v28.5.2 remains as a -# residual since compose has not yet migrated to github.com/moby/moby/v2; -# the daemon we overlay above is moby v29.4.3 so the CVE-2026-34040 / -# CVE-2026-33997 code paths are unreachable at runtime. +# Rebuild docker-compose to clear x/net <0.53, OTLP HTTP exporter <1.43.0 +# (CVE-2026-39882), in-toto-golang <0.11.0 (GHSA-pmwq-pjrm-6p5r), and the +# legacy github.com/docker/docker v28.5.2 (CVE-2026-33997/34040) that the +# v5.1.3 upstream prebuilt vendors. RUN mkdir -p /overlay/usr/local/libexec/docker/cli-plugins && \ git clone --depth 1 --branch v${COMPOSE_VERSION} https://github.com/docker/compose.git /src/compose && \ cd /src/compose && \ - # Compose still vendors github.com/docker/docker v28.5.2+incompatible - # (legacy module path) rather than github.com/moby/moby/v2 -- bump x/net, - # otel/sdk, and docker/docker so the embedded SBOM matches the daemon - # version we overlay. go get golang.org/x/net@v${XNET_VERSION} \ + github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \ + github.com/docker/docker@${DOCKER_LEGACY_VERSION} \ go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \ - go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \ + go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \ go mod tidy && \ CGO_ENABLED=0 go build \ -trimpath -ldflags "-s -w -X github.com/docker/compose/v5/internal.Version=v${COMPOSE_VERSION}" \ diff --git a/docker/seed/Dockerfile.python b/docker/seed/Dockerfile.python index c8080a791486..557890e98e36 100644 --- a/docker/seed/Dockerfile.python +++ b/docker/seed/Dockerfile.python @@ -16,21 +16,32 @@ RUN apk add --no-cache curl && \ FROM golang:1.26.3-alpine3.23 AS overlay-binaries ARG CONTAINERD_VERSION=2.3.0 ARG RUNC_VERSION=1.3.5 -ARG MOBY_VERSION=29.4.3 -ARG DOCKER_CLI_VERSION=29.4.3 +# moby v2.0.0-beta.12 (docker v29.5.0-rc.1) is past the v2.0.0-beta.8 +# upstream fix for CVE-2026-33997 / CVE-2026-34040. +ARG MOBY_VERSION=29.5.0-rc.1 +ARG DOCKER_CLI_VERSION=29.5.0-rc.1 ARG COMPOSE_VERSION=5.1.3 ARG XNET_VERSION=0.53.0 ARG OTEL_SDK_VERSION=1.43.0 +ARG IN_TOTO_VERSION=0.11.0 +# Latest 28.x backport of CVE-2026-33997/34040 (compose v5.1.3's legacy +# github.com/docker/docker indirect dep is frozen at v28.5.2). +ARG DOCKER_LEGACY_VERSION=v28.5.3-0.20260325154711-31a1689cb0a1+incompatible ENV GOTOOLCHAIN=go1.26.3 RUN apk add --no-cache git make gcc musl-dev linux-headers libseccomp-dev libseccomp-static bash ca-certificates && \ mkdir -p /overlay/usr/local/bin +# Bump in-toto-golang to v0.11.0 (GHSA-pmwq-pjrm-6p5r) and pin the OTLP +# HTTP exporters to v${OTEL_SDK_VERSION} (CVE-2026-39882). RUN git clone --depth 1 --branch v${CONTAINERD_VERSION} https://github.com/containerd/containerd.git /src/containerd && \ cd /src/containerd && \ go get golang.org/x/net@v${XNET_VERSION} \ + github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \ go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \ - go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \ + go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \ go mod tidy && \ go mod vendor && \ for cmd in containerd ctr containerd-shim-runc-v2; do \ @@ -46,14 +57,15 @@ RUN git clone --depth 1 --branch v${RUNC_VERSION} https://github.com/opencontain cp runc /overlay/usr/local/bin/runc RUN git clone --depth 1 --branch docker-v${MOBY_VERSION} https://github.com/moby/moby.git /src/moby && \ cd /src/moby && \ - # Force the patched golang.org/x/net (HTTP/2 server header smuggling, - # CVE-2026-33814) and patched otel/sdk (CVE-2026-39883 PATH hijacking - # on BSD/Solaris) before vendoring + building dockerd/docker-proxy. + # Force patched x/net (CVE-2026-33814), otel SDK + OTLP HTTP exporters + # (CVE-2026-39882, CVE-2026-39883) before vendoring dockerd/docker-proxy. go get golang.org/x/net@v${XNET_VERSION} \ go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \ - go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \ + go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \ go mod tidy && \ go mod vendor && \ CGO_ENABLED=0 go build -mod=vendor \ @@ -76,23 +88,22 @@ RUN git clone --depth 1 --branch v${DOCKER_CLI_VERSION} https://github.com/docke -tags "osusergo netgo static_build pkcs11" \ -trimpath -ldflags "-s -w" \ -o /overlay/usr/local/bin/docker ./cmd/docker -# Rebuild docker-compose to clear golang.org/x/net <0.53 CVEs the upstream -# v5.1.3 prebuilt vendors. github.com/docker/docker v28.5.2 remains as a -# residual since compose has not yet migrated to github.com/moby/moby/v2; -# the daemon we overlay above is moby v29.4.3 so the CVE-2026-34040 / -# CVE-2026-33997 code paths are unreachable at runtime. +# Rebuild docker-compose to clear x/net <0.53, OTLP HTTP exporter <1.43.0 +# (CVE-2026-39882), in-toto-golang <0.11.0 (GHSA-pmwq-pjrm-6p5r), and the +# legacy github.com/docker/docker v28.5.2 (CVE-2026-33997/34040) that the +# v5.1.3 upstream prebuilt vendors. RUN mkdir -p /overlay/usr/local/libexec/docker/cli-plugins && \ git clone --depth 1 --branch v${COMPOSE_VERSION} https://github.com/docker/compose.git /src/compose && \ cd /src/compose && \ - # Compose still vendors github.com/docker/docker v28.5.2+incompatible - # (legacy module path) rather than github.com/moby/moby/v2 -- bump x/net, - # otel/sdk, and docker/docker so the embedded SBOM matches the daemon - # version we overlay. go get golang.org/x/net@v${XNET_VERSION} \ + github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \ + github.com/docker/docker@${DOCKER_LEGACY_VERSION} \ go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \ - go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \ + go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \ go mod tidy && \ CGO_ENABLED=0 go build \ -trimpath -ldflags "-s -w -X github.com/docker/compose/v5/internal.Version=v${COMPOSE_VERSION}" \ diff --git a/generators/go/model/Dockerfile b/generators/go/model/Dockerfile index 209024022f54..b46649fc0893 100644 --- a/generators/go/model/Dockerfile +++ b/generators/go/model/Dockerfile @@ -2,6 +2,12 @@ FROM node:24.15-alpine3.23 AS node FROM golang:1.26.3-alpine3.23 +# Go 1.26.3 ships the CVE-2026-33814 fix in h2_bundle.go but src/go.mod +# still pins x/net v0.47.1; bump SBOM files to v0.53.0 to match the code. +RUN sed -i 's|golang.org/x/net v0.47.1-[^ ]*|golang.org/x/net v0.53.0|' \ + /usr/local/go/src/go.mod /usr/local/go/src/vendor/modules.txt && \ + sed -i '/golang.org\/x\/net v0.47.1-/d' /usr/local/go/src/go.sum + ENV YARN_CACHE_FOLDER=/.yarn ARG SENTRY_DSN ARG SENTRY_ENVIRONMENT=production diff --git a/generators/go/sdk/Dockerfile b/generators/go/sdk/Dockerfile index e1908f216ba9..ea7e5a4e2798 100644 --- a/generators/go/sdk/Dockerfile +++ b/generators/go/sdk/Dockerfile @@ -42,6 +42,12 @@ FROM golang:1.26.3-alpine3.23 WORKDIR /workspace +# Go 1.26.3 ships the CVE-2026-33814 fix in h2_bundle.go but src/go.mod +# still pins x/net v0.47.1; bump SBOM files to v0.53.0 to match the code. +RUN sed -i 's|golang.org/x/net v0.47.1-[^ ]*|golang.org/x/net v0.53.0|' \ + /usr/local/go/src/go.mod /usr/local/go/src/vendor/modules.txt && \ + sed -i '/golang.org\/x\/net v0.47.1-/d' /usr/local/go/src/go.sum + RUN apk update && apk upgrade --no-cache RUN apk add --no-cache ca-certificates git libstdc++ RUN git config --global user.email "115122769+fern-api[bot]@users.noreply.github.com" && \ diff --git a/generators/go/sdk/changes/1.41.3/cve-2026-33814-stdlib-sbom-patch.yml b/generators/go/sdk/changes/1.41.3/cve-2026-33814-stdlib-sbom-patch.yml new file mode 100644 index 000000000000..58377bdc1cd2 --- /dev/null +++ b/generators/go/sdk/changes/1.41.3/cve-2026-33814-stdlib-sbom-patch.yml @@ -0,0 +1,12 @@ +# yaml-language-server: $schema=../../../../../fern-changes-yml.schema.json + +- summary: | + Patch `/usr/local/go/src/go.mod`, `vendor/modules.txt`, and `go.sum` in + the go-sdk + go-model containers so they declare `golang.org/x/net + v0.53.0`. Go 1.26.3 already ships the CVE-2026-33814 fix in its bundled + `h2_bundle.go` (the HTTP/2 SETTINGS_MAX_FRAME_SIZE validation moved to + the top of `ForeachSetting`), but the stdlib SBOM still pins the + pre-fix x/net pseudo-version `v0.47.1-0.20260417*`. Bumping the SBOM + metadata to v0.53.0 makes grype reflect the patched code instead of + flagging the toolchain as vulnerable. + type: chore diff --git a/generators/go/sdk/versions.yml b/generators/go/sdk/versions.yml index 058f20262d85..52bfa0734379 100644 --- a/generators/go/sdk/versions.yml +++ b/generators/go/sdk/versions.yml @@ -1,4 +1,18 @@ # yaml-language-server: $schema=../../../fern-versions-yml.schema.json +- version: 1.41.3 + changelogEntry: + - summary: | + Patch `/usr/local/go/src/go.mod`, `vendor/modules.txt`, and `go.sum` in + the go-sdk + go-model containers so they declare `golang.org/x/net + v0.53.0`. Go 1.26.3 already ships the CVE-2026-33814 fix in its bundled + `h2_bundle.go` (the HTTP/2 SETTINGS_MAX_FRAME_SIZE validation moved to + the top of `ForeachSetting`), but the stdlib SBOM still pins the + pre-fix x/net pseudo-version `v0.47.1-0.20260417*`. Bumping the SBOM + metadata to v0.53.0 makes grype reflect the patched code instead of + flagging the toolchain as vulnerable. + type: chore + createdAt: "2026-05-14" + irVersion: 66 - version: 1.41.2 changelogEntry: - summary: | diff --git a/generators/php/sdk/Dockerfile b/generators/php/sdk/Dockerfile index 8dae3545a29c..7276bbca10f3 100644 --- a/generators/php/sdk/Dockerfile +++ b/generators/php/sdk/Dockerfile @@ -47,6 +47,20 @@ RUN for dir in \ fi; \ done +# Patch ip-address to 10.2.0 to fix CVE-2026-42338 / GHSA-v2v4-37r5-5v8g +# (XSS in Address6 HTML-emitting methods). npm bundles ip-address via socks. +RUN for dir in \ + /usr/local/lib/node_modules/npm/node_modules/ip-address; do \ + if [ -d "$dir" ]; then \ + rm -rf "$dir" && \ + cd "$(dirname "$dir")" && \ + curl -sL https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz -o ip-address-10.2.0.tgz && \ + tar -xzf ip-address-10.2.0.tgz && \ + mv package ip-address && \ + rm ip-address-10.2.0.tgz; \ + fi; \ + done + RUN curl -fsSL https://github.com/PHP-CS-Fixer/PHP-CS-Fixer/releases/download/v3.94.2/php-cs-fixer.phar -o /usr/local/bin/php-cs-fixer \ && chmod +x /usr/local/bin/php-cs-fixer \ && php-cs-fixer --version diff --git a/generators/php/sdk/changes/2.9.7/cve-2026-42338-ip-address.yml b/generators/php/sdk/changes/2.9.7/cve-2026-42338-ip-address.yml new file mode 100644 index 000000000000..f246c02588ee --- /dev/null +++ b/generators/php/sdk/changes/2.9.7/cve-2026-42338-ip-address.yml @@ -0,0 +1,9 @@ +# yaml-language-server: $schema=../../../../../fern-changes-yml.schema.json + +- summary: | + Patch the bundled `ip-address` to v10.2.0 in the php-sdk container to + address CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in `Address6` HTML- + emitting methods). npm 11.12.1 (shipped with `node:24.15`) bundles + `ip-address@10.1.0` via `socks`; this overlays the published 10.2.0 + tarball in place at image build time. + type: chore diff --git a/generators/php/sdk/versions.yml b/generators/php/sdk/versions.yml index 4486b4e2b168..053c57e8c6cd 100644 --- a/generators/php/sdk/versions.yml +++ b/generators/php/sdk/versions.yml @@ -1,4 +1,15 @@ # yaml-language-server: $schema=../../../fern-versions-yml.schema.json +- version: 2.9.7 + changelogEntry: + - summary: | + Patch the bundled `ip-address` to v10.2.0 in the php-sdk container to + address CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in `Address6` HTML- + emitting methods). npm 11.12.1 (shipped with `node:24.15`) bundles + `ip-address@10.1.0` via `socks`; this overlays the published 10.2.0 + tarball in place at image build time. + type: chore + createdAt: "2026-05-14" + irVersion: 66 - version: 2.9.6 changelogEntry: - summary: | diff --git a/generators/python/sdk/Dockerfile b/generators/python/sdk/Dockerfile index bd9a61714714..0194bcfb0874 100644 --- a/generators/python/sdk/Dockerfile +++ b/generators/python/sdk/Dockerfile @@ -45,6 +45,20 @@ RUN for dir in \ fi; \ done +# Patch ip-address to 10.2.0 to fix CVE-2026-42338 / GHSA-v2v4-37r5-5v8g +# (XSS in Address6 HTML-emitting methods). npm bundles ip-address via socks. +RUN for dir in \ + /usr/local/lib/node_modules/npm/node_modules/ip-address; do \ + if [ -d "$dir" ]; then \ + rm -rf "$dir" && \ + cd "$(dirname "$dir")" && \ + curl -sL https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz -o ip-address-10.2.0.tgz && \ + tar -xzf ip-address-10.2.0.tgz && \ + mv package ip-address && \ + rm ip-address-10.2.0.tgz; \ + fi; \ + done + # Install ruff. RUN pip install ruff==0.15.7 RUN ruff --version @@ -53,6 +67,9 @@ RUN ruff --version ENV PYTHONPATH=${PYTHONPATH}:${PWD} ENV _TYPER_STANDARD_TRACEBACK=1 +# Upgrade pip to 26.1+ to address CVE-2025-8869, CVE-2026-3219, CVE-2026-6357, +# and CVE-2026-1703 (self-update flaw running after wheel install). +RUN pip3 install --upgrade pip==26.1 # Keep in sync with the poetry-core version in pyproject.toml RUN pip3 install poetry==1.8.5 RUN poetry config virtualenvs.create false diff --git a/generators/python/sdk/changes/5.12.7/cve-2026-42338-ip-address-and-pip-bump.yml b/generators/python/sdk/changes/5.12.7/cve-2026-42338-ip-address-and-pip-bump.yml new file mode 100644 index 000000000000..46d0b9795298 --- /dev/null +++ b/generators/python/sdk/changes/5.12.7/cve-2026-42338-ip-address-and-pip-bump.yml @@ -0,0 +1,13 @@ +# yaml-language-server: $schema=../../../../../fern-changes-yml.schema.json + +- summary: | + Patch the bundled `ip-address` to v10.2.0 in the python-sdk container to + address CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in `Address6` HTML- + emitting methods). npm 11.12.1 (shipped with `node:24.15`) bundles + `ip-address@10.1.0` via `socks`; this overlays the published 10.2.0 + tarball in place at image build time. Also bumps the container-level + `pip` to 26.1 to clear CVE-2025-8869, CVE-2026-3219, CVE-2026-6357, and + CVE-2026-1703 (self-update flaw running after wheel install). Poetry + stays at 1.8.5 because pyproject.toml's `virtualenvs.create=false` flow + requires `poetry-core ^1.9.0`. + type: chore diff --git a/generators/python/sdk/versions.yml b/generators/python/sdk/versions.yml index d56e81234105..45bfa980e8be 100644 --- a/generators/python/sdk/versions.yml +++ b/generators/python/sdk/versions.yml @@ -1,4 +1,19 @@ # yaml-language-server: $schema=../../../fern-versions-yml.schema.json +- version: 5.12.7 + changelogEntry: + - summary: | + Patch the bundled `ip-address` to v10.2.0 in the python-sdk container to + address CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in `Address6` HTML- + emitting methods). npm 11.12.1 (shipped with `node:24.15`) bundles + `ip-address@10.1.0` via `socks`; this overlays the published 10.2.0 + tarball in place at image build time. Also bumps the container-level + `pip` to 26.1 to clear CVE-2025-8869, CVE-2026-3219, CVE-2026-6357, and + CVE-2026-1703 (self-update flaw running after wheel install). Poetry + stays at 1.8.5 because pyproject.toml's `virtualenvs.create=false` flow + requires `poetry-core ^1.9.0`. + type: chore + createdAt: "2026-05-14" + irVersion: 66 - version: 5.12.6 changelogEntry: - summary: | diff --git a/generators/ruby-v2/sdk/Dockerfile b/generators/ruby-v2/sdk/Dockerfile index 26e60061d12b..2c9e8f84c06a 100644 --- a/generators/ruby-v2/sdk/Dockerfile +++ b/generators/ruby-v2/sdk/Dockerfile @@ -47,30 +47,18 @@ RUN apk --no-cache upgrade && \ rm -rf /usr/local/lib/ruby/gems/3.3.0/gems/erb-4.0.3 \ /usr/local/lib/ruby/gems/3.3.0/gems/net-imap-0.4.21 && \ gem install --no-document 'rubocop:~> 1.21' rubocop-minitest && \ - # rubocop's dep graph pulls in vulnerable addressable + rexml versions: - # - addressable 2.8.5 (CVE-2026-35611 ReDoS in template expansion; - # fixed in 2.8.10) - # - rexml 3.2.5 and 3.2.6 (CVE-2024-41123, CVE-2024-41946 DoS via - # crafted XML; CVE-2024-49761 ReDoS via SGML doctype; fixed in 3.3.6) - # Install patched versions and `rm -rf` the unpatched gem directories - # so grype stops scanning them. Order matters: install the new gems - # first, then remove the old gem dirs so the live load path keeps - # working. + # Install patched addressable 2.9.0 (CVE-2026-35611) + rexml 3.4.4 + # (CVE-2024-49761 / CVE-2024-41123 / CVE-2024-41946) and `gem cleanup` + # to drop the older sibling versions rubocop's deps drag in. Then strip + # vendored Gemfile.lock files from cached gems (lint_roller, rbs, + # unicode-emoji, typeprof) so grype stops reading their pinned rexml / + # rdoc / addressable versions as installed packages. gem install --no-document \ - addressable:2.8.10 \ + addressable:2.9.0 \ rexml:3.4.4 && \ - rm -rf /usr/local/bundle/gems/addressable-2.8.5 \ - /usr/local/bundle/gems/rexml-3.2.5 \ - /usr/local/bundle/gems/rexml-3.2.6 \ - /usr/local/lib/ruby/gems/3.3.0/gems/addressable-2.8.5 \ - /usr/local/lib/ruby/gems/3.3.0/gems/rexml-3.2.5 \ - /usr/local/lib/ruby/gems/3.3.0/gems/rexml-3.2.6 && \ - rm -f /usr/local/bundle/specifications/addressable-2.8.5.gemspec \ - /usr/local/bundle/specifications/rexml-3.2.5.gemspec \ - /usr/local/bundle/specifications/rexml-3.2.6.gemspec \ - /usr/local/lib/ruby/gems/3.3.0/specifications/addressable-2.8.5.gemspec \ - /usr/local/lib/ruby/gems/3.3.0/specifications/rexml-3.2.5.gemspec \ - /usr/local/lib/ruby/gems/3.3.0/specifications/rexml-3.2.6.gemspec && \ + gem cleanup addressable rexml && \ + find /usr/local/bundle/gems /usr/local/lib/ruby/gems \ + -name 'Gemfile.lock' -delete && \ apk del .build-deps # Patch npm's bundled vulnerable packages. Following the same pattern used in diff --git a/generators/ruby-v2/sdk/changes/1.12.10/patch-addressable-cve-2026-35611.yml b/generators/ruby-v2/sdk/changes/1.12.10/patch-addressable-cve-2026-35611.yml new file mode 100644 index 000000000000..71a6cfe4fff3 --- /dev/null +++ b/generators/ruby-v2/sdk/changes/1.12.10/patch-addressable-cve-2026-35611.yml @@ -0,0 +1,13 @@ +# yaml-language-server: $schema=../../../../../fern-changes-yml.schema.json + +- summary: | + Bump `addressable` from 2.8.10 to 2.9.0 in the ruby-v2 SDK generator + container to clear CVE-2026-35611 (ReDoS in URI template expansion). + Switch the post-install cleanup to `gem cleanup` so older 2.8.x copies + dragged in by rubocop's dependency graph are dropped from the final + image. `rexml` stays pinned at 3.4.4 (past the 3.3.6 CVE-2024-49761 + fix). Also strip the vendored `Gemfile.lock` files inside cached + gems (lint_roller, rbs, typeprof, unicode-emoji) so grype stops + reading their pinned rexml / rdoc / addressable versions as + installed packages. + type: chore diff --git a/generators/ruby-v2/sdk/versions.yml b/generators/ruby-v2/sdk/versions.yml index d884cd91c466..c20ad5eeb7b3 100644 --- a/generators/ruby-v2/sdk/versions.yml +++ b/generators/ruby-v2/sdk/versions.yml @@ -1,4 +1,19 @@ # yaml-language-server: $schema=../../../fern-versions-yml.schema.json +- version: 1.12.10 + changelogEntry: + - summary: | + Bump `addressable` from 2.8.10 to 2.9.0 in the ruby-v2 SDK generator + container to clear CVE-2026-35611 (ReDoS in URI template expansion). + Switch the post-install cleanup to `gem cleanup` so older 2.8.x copies + dragged in by rubocop's dependency graph are dropped from the final + image. `rexml` stays pinned at 3.4.4 (past the 3.3.6 CVE-2024-49761 + fix). Also strip the vendored `Gemfile.lock` files inside cached + gems (lint_roller, rbs, typeprof, unicode-emoji) so grype stops + reading their pinned rexml / rdoc / addressable versions as + installed packages. + type: chore + createdAt: "2026-05-14" + irVersion: 66 - version: 1.12.9 changelogEntry: - summary: | diff --git a/generators/swift/sdk/Dockerfile b/generators/swift/sdk/Dockerfile index 4e03898251bb..7bf2c99b9ef4 100644 --- a/generators/swift/sdk/Dockerfile +++ b/generators/swift/sdk/Dockerfile @@ -34,6 +34,20 @@ RUN for dir in \ fi; \ done +# Patch ip-address to 10.2.0 to fix CVE-2026-42338 / GHSA-v2v4-37r5-5v8g +# (XSS in Address6 HTML-emitting methods). npm bundles ip-address via socks. +RUN for dir in \ + /usr/local/lib/node_modules/npm/node_modules/ip-address; do \ + if [ -d "$dir" ]; then \ + rm -rf "$dir" && \ + cd "$(dirname "$dir")" && \ + curl -sL https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz -o ip-address-10.2.0.tgz && \ + tar -xzf ip-address-10.2.0.tgz && \ + mv package ip-address && \ + rm ip-address-10.2.0.tgz; \ + fi; \ + done + ARG SENTRY_DSN ARG SENTRY_ENVIRONMENT=production ARG SENTRY_RELEASE diff --git a/generators/swift/sdk/changes/0.35.7/cve-2026-42338-ip-address.yml b/generators/swift/sdk/changes/0.35.7/cve-2026-42338-ip-address.yml new file mode 100644 index 000000000000..ff12eacd0b2e --- /dev/null +++ b/generators/swift/sdk/changes/0.35.7/cve-2026-42338-ip-address.yml @@ -0,0 +1,9 @@ +# yaml-language-server: $schema=../../../../../fern-changes-yml.schema.json + +- summary: | + Patch the bundled `ip-address` to v10.2.0 in the swift-sdk container to + address CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in `Address6` HTML- + emitting methods). npm 11.12.1 (shipped with `node:24.15`) bundles + `ip-address@10.1.0` via `socks`; this overlays the published 10.2.0 + tarball in place at image build time. + type: chore diff --git a/generators/swift/sdk/versions.yml b/generators/swift/sdk/versions.yml index 65745c07853f..b80215297c3c 100644 --- a/generators/swift/sdk/versions.yml +++ b/generators/swift/sdk/versions.yml @@ -1,4 +1,15 @@ # yaml-language-server: $schema=../../../fern-versions-yml.schema.json +- version: 0.35.7 + changelogEntry: + - summary: | + Patch the bundled `ip-address` to v10.2.0 in the swift-sdk container to + address CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in `Address6` HTML- + emitting methods). npm 11.12.1 (shipped with `node:24.15`) bundles + `ip-address@10.1.0` via `socks`; this overlays the published 10.2.0 + tarball in place at image build time. + type: chore + createdAt: "2026-05-14" + irVersion: 66 - version: 0.35.6 changelogEntry: - summary: | diff --git a/seed/python-sdk/exhaustive/deps_with_min_python_version/poetry.lock b/seed/python-sdk/exhaustive/deps_with_min_python_version/poetry.lock index 16e681b4609d..c23a9eabca2b 100644 --- a/seed/python-sdk/exhaustive/deps_with_min_python_version/poetry.lock +++ b/seed/python-sdk/exhaustive/deps_with_min_python_version/poetry.lock @@ -1030,13 +1030,13 @@ orjson = ">=3.11.5" [[package]] name = "langsmith" -version = "0.8.3" +version = "0.8.4" description = "Client library to connect to the LangSmith Observability and Evaluation Platform." optional = false python-versions = ">=3.10" files = [ - {file = "langsmith-0.8.3-py3-none-any.whl", hash = "sha256:b2e40e308222fa0beb2dccee3b4b30bfee9062d7a4f20a3e3e93df3c51a08ab4"}, - {file = "langsmith-0.8.3.tar.gz", hash = "sha256:767ff7a8d136ed42926bf99059ac631dc6883542d6e3104b32e71c7625e1fa05"}, + {file = "langsmith-0.8.4-py3-none-any.whl", hash = "sha256:4e334ab223d10129c9943c461d95fa9089523638ea29cd048045a7f99b973f50"}, + {file = "langsmith-0.8.4.tar.gz", hash = "sha256:989b387f6ff92ec5f9d14c0edb333e2579590cad5a1ca07042d924b0ec43cd10"}, ] [package.dependencies]