From 68ebb835248b6379a5d038dbcaf735938f42d6f1 Mon Sep 17 00:00:00 2001 From: shree1988 <37659750+shree1988@users.noreply.github.com> Date: Mon, 16 Mar 2026 10:38:07 +0530 Subject: [PATCH 1/5] cde_service_runtime image vulnerabilities CVE-2026-24049(Wheel), CVE-2026-23949(Jaraco-context), CVE-2026-21441, CVE-2025-66418, CVE-2025-66471 vunerabilites fixes --- build/cdc_services_runtime/Dockerfile | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/build/cdc_services_runtime/Dockerfile b/build/cdc_services_runtime/Dockerfile index 1068ae8b14..1be24fa84e 100644 --- a/build/cdc_services_runtime/Dockerfile +++ b/build/cdc_services_runtime/Dockerfile @@ -28,4 +28,9 @@ FROM --platform=linux/amd64 python:3.11.14-slim as runtime COPY --from=envoy /usr/local/bin/envoy /usr/local/bin/envoy # Install nginx. -RUN apt-get update && apt-get -y upgrade && apt update && apt install -y nginx \ No newline at end of file +RUN apt-get update && apt-get -y upgrade && apt update && apt install -y nginx \ + && pip install --upgrade pip \ + && pip install --upgrade "wheel==0.46.2" \ + && pip install --upgrade setuptools \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* From 6dcad73853c0533685f6811a04fc923d8d9c64da Mon Sep 17 00:00:00 2001 From: shree1988 <37659750+shree1988@users.noreply.github.com> Date: Mon, 16 Mar 2026 10:56:52 +0530 Subject: [PATCH 2/5] cde_data Image vulnerabilities fixes CVE-2026-24049(Wheel), CVE-2026-23949(Jaraco-context), CVE-2026-21441, CVE-2025-66418, CVE-2025-66471, CVE-2026-25990(pillow), CVE-2026-2472 and CVE-2026-2472(google-cloud-aiplatform) vunerabilites fixes --- build/cdc_data/Dockerfile | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/build/cdc_data/Dockerfile b/build/cdc_data/Dockerfile index 3a6481ffa9..07d051623a 100644 --- a/build/cdc_data/Dockerfile +++ b/build/cdc_data/Dockerfile @@ -45,7 +45,7 @@ ARG PIP_DISABLE_PIP_VERSION_CHECK=1 ARG PIP_NO_CACHE_DIR=1 # Create a virtual env, add it to path, and install all requirements. -RUN python -m venv /workspace/venv +RUN python -m venv /workspace/venv --without-pip ENV PATH="/workspace/venv/bin:$PATH" # TODO: Install requirements for embeddings importer and data importer in separate virtual envs. @@ -74,8 +74,19 @@ COPY build/cdc_data/run.sh . # Make script executable. RUN chmod +x run.sh +# Python packages upgrade to fix vulnerabilities +RUN apt-get update && apt-get -y upgrade && apt update && apt-get dist-upgrade \ + && pip3 install --upgrade --no-cache-dir "urllib3==2.6.3" \ + && pip3 install --upgrade "pillow==12.1.1" \ + && pip3 install --upgrade "google-cloud-aiplatform==1.133.0 \" + && pip3 install --upgrade pip \ + && pip3 install --upgrade "wheel==0.46.2" \ + && pip3 install --upgrade setuptools \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + # Activate the virtual env. ENV PATH="/workspace/venv/bin:$PATH" # Set the default command to run the script. -CMD ["./run.sh"] \ No newline at end of file +CMD ["./run.sh"] From 8047a295fb7b7cd468c921a134eaac3e71cc3ec0 Mon Sep 17 00:00:00 2001 From: shree1988 <37659750+shree1988@users.noreply.github.com> Date: Mon, 16 Mar 2026 10:57:34 +0530 Subject: [PATCH 3/5] Image vulnerabilites fixes --- build/cdc_data/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/cdc_data/Dockerfile b/build/cdc_data/Dockerfile index 07d051623a..5591cb20d7 100644 --- a/build/cdc_data/Dockerfile +++ b/build/cdc_data/Dockerfile @@ -78,7 +78,7 @@ RUN chmod +x run.sh RUN apt-get update && apt-get -y upgrade && apt update && apt-get dist-upgrade \ && pip3 install --upgrade --no-cache-dir "urllib3==2.6.3" \ && pip3 install --upgrade "pillow==12.1.1" \ - && pip3 install --upgrade "google-cloud-aiplatform==1.133.0 \" + && pip3 install --upgrade "google-cloud-aiplatform==1.133.0" \ && pip3 install --upgrade pip \ && pip3 install --upgrade "wheel==0.46.2" \ && pip3 install --upgrade setuptools \ From 5e625ee1188d1178ebb9cc624275a0625ac584df Mon Sep 17 00:00:00 2001 From: shree1988 <37659750+shree1988@users.noreply.github.com> Date: Mon, 16 Mar 2026 14:02:48 +0530 Subject: [PATCH 4/5] cde_data fixing command issues --- build/cdc_data/Dockerfile | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/build/cdc_data/Dockerfile b/build/cdc_data/Dockerfile index 5591cb20d7..977ee131eb 100644 --- a/build/cdc_data/Dockerfile +++ b/build/cdc_data/Dockerfile @@ -75,15 +75,14 @@ COPY build/cdc_data/run.sh . RUN chmod +x run.sh # Python packages upgrade to fix vulnerabilities -RUN apt-get update && apt-get -y upgrade && apt update && apt-get dist-upgrade \ - && pip3 install --upgrade --no-cache-dir "urllib3==2.6.3" \ - && pip3 install --upgrade "pillow==12.1.1" \ - && pip3 install --upgrade "google-cloud-aiplatform==1.133.0" \ - && pip3 install --upgrade pip \ - && pip3 install --upgrade "wheel==0.46.2" \ - && pip3 install --upgrade setuptools \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* +RUN apt-get update && apt-get -y upgrade && apt-get dist-upgrade \ + && pip3 install --upgrade \ + setuptools \ + "wheel==0.46.2" \ + "urllib3==2.6.3" \ + "pillow==12.1.1" \ + "google-cloud-aiplatform==1.133.0" \ + && apt-get clean && rm -rf /var/lib/apt/lists/* # Activate the virtual env. ENV PATH="/workspace/venv/bin:$PATH" From 095175646cf7a7bdc6ed7cb013daaf844f2fdd81 Mon Sep 17 00:00:00 2001 From: shree1988 <37659750+shree1988@users.noreply.github.com> Date: Mon, 16 Mar 2026 14:04:28 +0530 Subject: [PATCH 5/5] cde_runtime_services fixing command issue --- build/cdc_services_runtime/Dockerfile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/build/cdc_services_runtime/Dockerfile b/build/cdc_services_runtime/Dockerfile index 1be24fa84e..ecfdc1106e 100644 --- a/build/cdc_services_runtime/Dockerfile +++ b/build/cdc_services_runtime/Dockerfile @@ -28,9 +28,9 @@ FROM --platform=linux/amd64 python:3.11.14-slim as runtime COPY --from=envoy /usr/local/bin/envoy /usr/local/bin/envoy # Install nginx. -RUN apt-get update && apt-get -y upgrade && apt update && apt install -y nginx \ - && pip install --upgrade pip \ - && pip install --upgrade "wheel==0.46.2" \ - && pip install --upgrade setuptools \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* +RUN apt-get update && apt-get -y upgrade && apt install -y nginx \ + && pip install --upgrade \ + pip \ + "wheel==0.46.2" \ + setuptools \ + && apt-get clean && rm -rf /var/lib/apt/lists/*