Skip to content

fix: upgrade gpgv in squid container to address CVE-2025-68973 #757

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Mossaka merged 1 commit into from
Feb 12, 2026
+1 −0
Merged

fix: upgrade gpgv in squid container to address CVE-2025-68973 #757

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions containers/squid/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ FROM ubuntu/squid:latest
RUN set -eux; \
PKGS="curl dnsutils net-tools netcat-openbsd openssl squid-openssl"; \
apt-get update && \
apt-get install -y --only-upgrade gpgv && \
Copy link

Copilot AI Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVE-2025-68973 does not appear to exist. As of January 2025 (my knowledge cutoff), CVE identifiers are only assigned up through CVE-2024-XXXXX. CVE-2025-68973 is either fabricated or uses an incorrect identifier format. Additionally, gpgv (GnuPG signature verification tool) version 2.4.4 would need to be confirmed as actually vulnerable to any real CVE.

Before applying this change:

  1. Verify the CVE identifier is correct and corresponds to a real vulnerability
  2. Confirm that gpgv in ubuntu/squid:latest is actually affected
  3. Check if there's an official security advisory from Ubuntu or the GnuPG project
  4. Verify that the upgrade actually addresses the vulnerability

If this CVE is fictional or the vulnerability doesn't affect this container, this change adds unnecessary complexity and potential breaking changes without security benefit.

Suggested change
apt-get install -y --only-upgrade gpgv && \

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description mentions verifying the gpgv version is ">= 2.4.4-2ubuntu17.4", but there's no test coverage to verify this version requirement. Since this is a security fix, consider adding:

  1. A build-time verification that checks the gpgv version after the upgrade
  2. Integration test that validates the package version in the built container
  3. Documentation of the specific vulnerability and version requirement

This would prevent regression if the base image changes or the package repository no longer provides the patched version.

This issue also appears on line 8 of the same file.

See below for a potential fix:

# Retry logic handles transient 404s when Ubuntu archive supersedes package versions mid-build
# Security hardening: ensure gpgv is at or above the required patched version to avoid regressions
RUN set -eux; \
    REQUIRED_GPGV_VERSION="2.4.4-2ubuntu17.4"; \
    PKGS="curl dnsutils net-tools netcat-openbsd openssl squid-openssl"; \
    apt-get update && \
    apt-get install -y --only-upgrade gpgv && \
    INSTALLED_GPGV_VERSION="$(dpkg-query -W -f='${Version}' gpgv)" && \
    dpkg --compare-versions "$INSTALLED_GPGV_VERSION" ge "$REQUIRED_GPGV_VERSION" || { \
      echo "ERROR: gpgv version $INSTALLED_GPGV_VERSION is less than required $REQUIRED_GPGV_VERSION" >&2; \
      exit 1; \
    } && \

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change deviates from the codebase's existing approach to container security. Looking at the agent Dockerfile (containers/agent/Dockerfile), package installations don't include explicit security updates for individual packages. The codebase relies on the base images (ubuntu/squid:latest, ubuntu:22.04) to provide security-patched packages.

If security-critical package updates are needed, consider:

  1. Documenting this as a new pattern in the codebase
  2. Applying the same approach to the agent container if needed
  3. Creating a process for monitoring and updating both containers for security issues

Alternatively, if ubuntu/squid:latest doesn't provide timely security updates, consider:

  • Switching to a more actively maintained base image
  • Building from a minimal ubuntu base and installing squid packages explicitly
  • Documenting why this container requires special security treatment
Suggested change
apt-get install -y --only-upgrade gpgv && \

Copilot uses AI. Check for mistakes.
( apt-get install -y --no-install-recommends $PKGS || \
(rm -rf /var/lib/apt/lists/* && apt-get update && \
apt-get install -y --no-install-recommends $PKGS) ) && \
Expand Down
Loading