lerkolabs/uptop
1
1
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(security): patch Docker Scout CVEs and remove unused openssh-client #41

Merged
lerko merged 2 commits from fix/docker-scout-cves into main 2026-05-30 00:33:20 +00:00
Conversation 0 Commits 2 Files Changed 3
+4 -4
lerko commented 2026-05-30 00:06:36 +00:00
Owner
Copy Link
Copy Source

Summary

  • Upgrade golang.org/x/net v0.54.0 → v0.55.0 — patches 6 CVEs including critical CVE-2026-41589 (CVSS 9.6)
  • Remove openssh-client from Docker image — unused (uptop uses pure Go SSH), eliminates 4 CVEs
  • Add apk upgrade to Dockerfile for remaining Alpine package CVEs

CVEs Resolved

CVE Severity Package Fix
CVE-2026-41589 9.6 Critical golang.org/x/net upgraded to v0.55.0
CVE-2025-60876 6.5 Medium golang.org/x/net upgraded to v0.55.0
CVE-2026-42502 6.1 Medium golang.org/x/net upgraded to v0.55.0
CVE-2026-42506 6.1 Medium golang.org/x/net upgraded to v0.55.0
CVE-2026-25681 6.1 Medium golang.org/x/net upgraded to v0.55.0
CVE-2026-35414 6.1 Medium golang.org/x/net upgraded to v0.55.0
CVE-2026-25680 7.5 High alpine/openssh removed openssh-client
CVE-2026-35386 3.6 Low alpine/openssh removed openssh-client
CVE-2026-35387 3.1 Low alpine/openssh removed openssh-client
CVE-2026-35388 2.5 Low alpine/openssh removed openssh-client
CVE-2026-27136 6.5 Medium alpine/busybox apk upgrade

Not Addressed (not exploitable)

CVE-2026-35385 (charmbracelet/wish v1.4.7, CVSS 9.6) — path traversal in wish's SCP middleware. uptop does not use the SCP middleware, only wish core + bubbletea middleware. Vulnerable code path is never loaded. Migration to wish v2 tracked in #42.

Test Plan

  • go build ./... passes
  • go test ./... passes
  • Rebuild Docker image, re-scan with Docker Scout
## Summary - Upgrade `golang.org/x/net` v0.54.0 → v0.55.0 — patches 6 CVEs including critical CVE-2026-41589 (CVSS 9.6) - Remove `openssh-client` from Docker image — unused (uptop uses pure Go SSH), eliminates 4 CVEs - Add `apk upgrade` to Dockerfile for remaining Alpine package CVEs ## CVEs Resolved | CVE | Severity | Package | Fix | |-----|----------|---------|-----| | CVE-2026-41589 | 9.6 Critical | golang.org/x/net | upgraded to v0.55.0 | | CVE-2025-60876 | 6.5 Medium | golang.org/x/net | upgraded to v0.55.0 | | CVE-2026-42502 | 6.1 Medium | golang.org/x/net | upgraded to v0.55.0 | | CVE-2026-42506 | 6.1 Medium | golang.org/x/net | upgraded to v0.55.0 | | CVE-2026-25681 | 6.1 Medium | golang.org/x/net | upgraded to v0.55.0 | | CVE-2026-35414 | 6.1 Medium | golang.org/x/net | upgraded to v0.55.0 | | CVE-2026-25680 | 7.5 High | alpine/openssh | removed openssh-client | | CVE-2026-35386 | 3.6 Low | alpine/openssh | removed openssh-client | | CVE-2026-35387 | 3.1 Low | alpine/openssh | removed openssh-client | | CVE-2026-35388 | 2.5 Low | alpine/openssh | removed openssh-client | | CVE-2026-27136 | 6.5 Medium | alpine/busybox | apk upgrade | ## Not Addressed (not exploitable) CVE-2026-35385 (charmbracelet/wish v1.4.7, CVSS 9.6) — path traversal in wish's SCP middleware. uptop does not use the SCP middleware, only wish core + bubbletea middleware. Vulnerable code path is never loaded. Migration to wish v2 tracked in #42. ## Test Plan - [x] `go build ./...` passes - [x] `go test ./...` passes - [ ] Rebuild Docker image, re-scan with Docker Scout
lerko added 1 commit 2026-05-30 00:06:37 +00:00
fix(security): patch Docker Scout CVEs in x/net and Alpine packages
CI / test (pull_request) Successful in 2m26s
Details
CI / lint (pull_request) Successful in 51s
Details
CI / vulncheck (pull_request) Successful in 46s
Details
13a0860dd3 
Upgrade golang.org/x/net v0.54.0 → v0.55.0 (CVE-2026-41589 critical,
CVE-2025-60876, CVE-2026-42502, CVE-2026-42506, CVE-2026-25681,
CVE-2026-35414). Add apk upgrade to Dockerfile for openssh and busybox
CVEs (CVE-2026-25680, CVE-2026-27136, CVE-2026-35386, CVE-2026-35387,
CVE-2026-35388).
lerko added 1 commit 2026-05-30 00:19:11 +00:00
fix(security): remove unused openssh-client from Docker image
CI / test (pull_request) Successful in 2m25s
Details
CI / lint (pull_request) Successful in 40s
Details
CI / vulncheck (pull_request) Successful in 41s
Details
aac8d4dd0e 
openssh-client was never used — uptop uses pure Go SSH via
charmbracelet/ssh. Removing it eliminates CVE-2026-25680,
CVE-2026-35386, CVE-2026-35387, and CVE-2026-35388.
lerko changed title from fix(security): patch Docker Scout CVEs in x/net and Alpine packages to fix(security): patch Docker Scout CVEs and remove unused openssh-client 2026-05-30 00:29:27 +00:00
lerko scheduled this pull request to auto merge when all checks succeed 2026-05-30 00:29:56 +00:00
lerko canceled auto merging this pull request when all checks succeed 2026-05-30 00:33:09 +00:00
lerko merged commit 32982228b0 into main 2026-05-30 00:33:20 +00:00
lerko deleted branch fix/docker-scout-cves 2026-05-30 00:33:20 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
lerko (Tyler Koenig)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: lerkolabs/uptop#41
Delete Branch "fix/docker-scout-cves"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?