From 767bb5c2ec9e3042ad28d0d36c7a8e1071385889 Mon Sep 17 00:00:00 2001
From: Jose Celano <josecelano@gmail.com>
Date: Tue, 23 Dec 2025 08:58:13 +0000
Subject: [PATCH] fix: [#1628] upgrade to Debian 13 (Trixie) to resolve
 security vulnerabilities

- Update base images from Debian 12 (bookworm) to Debian 13 (trixie)
- Update builder: rust:bookworm -> rust:trixie
- Update tester: rust:slim-bookworm -> rust:slim-trixie
- Update GCC: gcc:bookworm -> gcc:trixie
- Update runtime: gcr.io/distroless/cc-debian12:debug -> gcr.io/distroless/cc-debian13:debug

This resolves all 5 security vulnerabilities (1 CRITICAL, 4 HIGH):
- CVE-2019-1010022 (CRITICAL): glibc stack guard protection bypass
- CVE-2018-20796 (HIGH): glibc uncontrolled recursion
- CVE-2019-1010023 (HIGH): glibc ldd malicious ELF code execution
- CVE-2019-9192 (HIGH): glibc uncontrolled recursion
- CVE-2023-0286 (HIGH): OpenSSL X.400 address type confusion

Trivy scan results:
- Before: Total 5 (CRITICAL: 1, HIGH: 4)
- After: Total 0 (CRITICAL: 0, HIGH: 0)

Container tested and verified working with health checks passing.
---
 Containerfile | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Containerfile b/Containerfile
index 263053390..e926a5202 100644
--- a/Containerfile
+++ b/Containerfile
@@ -3,13 +3,13 @@
 # Torrust Tracker
 
 ## Builder Image
-FROM docker.io/library/rust:bookworm AS chef
+FROM docker.io/library/rust:trixie AS chef
 WORKDIR /tmp
 RUN curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash
 RUN cargo binstall --no-confirm cargo-chef cargo-nextest
 
 ## Tester Image
-FROM docker.io/library/rust:slim-bookworm AS tester
+FROM docker.io/library/rust:slim-trixie AS tester
 WORKDIR /tmp
 
 RUN apt-get update; apt-get install -y curl sqlite3; apt-get autoclean
@@ -21,7 +21,7 @@ RUN mkdir -p /app/share/torrust/default/database/; \
     sqlite3 /app/share/torrust/default/database/tracker.sqlite3.db  "VACUUM;"
 
 ## Su Exe Compile
-FROM docker.io/library/gcc:bookworm AS gcc
+FROM docker.io/library/gcc:trixie AS gcc
 COPY ./contrib/dev-tools/su-exec/ /usr/local/src/su-exec/
 RUN cc -Wall -Werror -g /usr/local/src/su-exec/su-exec.c -o /usr/local/bin/su-exec; chmod +x /usr/local/bin/su-exec
 
@@ -91,7 +91,7 @@ RUN chown -R root:root /app; chmod -R u=rw,go=r,a+X /app; chmod -R a+x /app/bin
 
 
 ## Runtime
-FROM gcr.io/distroless/cc-debian12:debug AS runtime
+FROM gcr.io/distroless/cc-debian13:debug AS runtime
 RUN ["/busybox/cp", "-sp", "/busybox/sh","/busybox/cat","/busybox/ls","/busybox/env", "/bin/"]
 COPY --from=gcc --chmod=0555 /usr/local/bin/su-exec /bin/su-exec