Skip to content

fix: upgrade to Debian 13 (Trixie) to resolve security vulnerabilities [#1628] #1629

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
josecelano merged 1 commit into from
Dec 23, 2025
Merged

fix: upgrade to Debian 13 (Trixie) to resolve security vulnerabilities [#1628] #1629

josecelano merged 1 commit into from
Dec 23, 2025

Conversation

@josecelano
Copy link
Member

@josecelano josecelano commented Dec 23, 2025

Description

This PR upgrades all Docker base images from Debian 12 (bookworm) to Debian 13 (trixie) to resolve security vulnerabilities detected by Trivy.

Changes

  • Builder image: rust:bookwormrust:trixie
  • Tester image: rust:slim-bookwormrust:slim-trixie
  • GCC image: gcc:bookwormgcc:trixie
  • Runtime image: gcr.io/distroless/cc-debian12:debuggcr.io/distroless/cc-debian13:debug

Security Impact

Before

Trivy scan detected 5 vulnerabilities (1 CRITICAL, 4 HIGH):

  • CVE-2019-1010022 (CRITICAL): glibc stack guard protection bypass
  • CVE-2018-20796 (HIGH): glibc uncontrolled recursion in posix/regexec.c
  • CVE-2019-1010023 (HIGH): glibc ldd on malicious ELF leads to code execution
  • CVE-2019-9192 (HIGH): glibc uncontrolled recursion in posix/regexec.c
  • CVE-2023-0286 (HIGH): OpenSSL X.400 address type confusion in X.509 GeneralName

After

Trivy scan results: Total: 0 (CRITICAL: 0, HIGH: 0)

All security vulnerabilities have been resolved.

Testing

  • ✅ Container builds successfully
  • ✅ Container runs and passes health checks
  • ✅ All services initialize correctly
  • ✅ Trivy security scan passes with zero HIGH/CRITICAL vulnerabilities

Related Issues

Closes #1628

Checklist

  • Updated all base images to Debian 13 (Trixie)
  • Built and tested container image
  • Verified with Trivy security scan
  • Confirmed container runs with health checks passing

@josecelano
fix: [torrust#1628] upgrade to Debian 13 (Trixie) to resolve security…
767bb5c 
… vulnerabilities

- Update base images from Debian 12 (bookworm) to Debian 13 (trixie)
- Update builder: rust:bookworm -> rust:trixie
- Update tester: rust:slim-bookworm -> rust:slim-trixie
- Update GCC: gcc:bookworm -> gcc:trixie
- Update runtime: gcr.io/distroless/cc-debian12:debug -> gcr.io/distroless/cc-debian13:debug

This resolves all 5 security vulnerabilities (1 CRITICAL, 4 HIGH):
- CVE-2019-1010022 (CRITICAL): glibc stack guard protection bypass
- CVE-2018-20796 (HIGH): glibc uncontrolled recursion
- CVE-2019-1010023 (HIGH): glibc ldd malicious ELF code execution
- CVE-2019-9192 (HIGH): glibc uncontrolled recursion
- CVE-2023-0286 (HIGH): OpenSSL X.400 address type confusion

Trivy scan results:
- Before: Total 5 (CRITICAL: 1, HIGH: 4)
- After: Total 0 (CRITICAL: 0, HIGH: 0)

Container tested and verified working with health checks passing.
@josecelano josecelano requested a review from da2ce7 December 23, 2025 08:59
@josecelano josecelano self-assigned this Dec 23, 2025
@josecelano
Copy link
Member Author

josecelano commented Dec 23, 2025

ACK 767bb5c

@josecelano josecelano added Security Publicly Connected to Security Dependencies Related to Dependencies labels Dec 23, 2025
@codecov
Copy link

codecov bot commented Dec 23, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.48%. Comparing base (38ed4cb) to head (767bb5c).
⚠️ Report is 4 commits behind head on develop.

Additional details and impacted files 
@@           Coverage Diff            @@
##           develop    #1629   +/-   ##
========================================
  Coverage    86.47%   86.48%           
========================================
  Files          289      289           
  Lines        22701    22701           
  Branches     22701    22701           
========================================
+ Hits         19631    19633    +2     
+ Misses        2839     2836    -3     
- Partials       231      232    +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@josecelano josecelano merged commit 1134350 into torrust:develop Dec 23, 2025
21 of 22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@da2ce7 da2ce7 Awaiting requested review from da2ce7

Assignees

@josecelano josecelano

Labels

Dependencies Related to Dependencies Security Publicly Connected to Security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security Vulnerabilities Detected in Docker Image

1 participant

@josecelano