Skip to content

fix: CVE-2013-3900 - Updates to Windows image#1997

Merged
kamilprz merged 12 commits intomicrosoft:mainfrom
kamilprz:kamilp/fedramp-cve
Jan 27, 2026
Merged

fix: CVE-2013-3900 - Updates to Windows image#1997
kamilprz merged 12 commits intomicrosoft:mainfrom
kamilprz:kamilp/fedramp-cve

Conversation

@kamilprz
Copy link
Copy Markdown
Contributor

@kamilprz kamilprz commented Jan 13, 2026
edited
Loading

Description

This PR tackles CVE-2013-3900 which is present on the Windows images. The Windows registry must be updated to mitigate the CVE, thus we had to separate the our Windows/Linux build process, so that Windows runs on a Windows host VM.

The Windows image build step is now separate into two steps. The binaries are built as part of a separate Makefile target. The GitHub Action runs this on an Ubuntu host (intentionally - its faster than on Windows). The Windows 2019/2022 image build actions then use those binaries to complete the build on their respective Windows based hosts.

Related Issue

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

Checklist

  • I have read the contributing documentation.
  • I signed and signed-off the commits (git commit -S -s ...). See this documentation on signing commits.
  • I have correctly attributed the author(s) of the code.
  • I have tested the changes locally.
  • I have followed the project's style guidelines.
  • [] I have updated the documentation, if necessary.
  • [] I have added tests, if applicable.

Screenshots (if applicable) or Testing Completed

Vulnerability scan on pre-fix Windows 2022. ghcr.io/microsoft/retina/retina-agent:4895b43-windows-ltsc2022-amd64
image

Vulnerability scan after the fix. Doesn't detect the same CVE. ghcr.io/kamilprz/retina/retina-agent:357857e-windows-ltsc2022-amd64
image

Additional Notes

Add any additional notes or context about the pull request here.

@kamilprz
update windows build image to fix cve
0f2dcb8 
Signed-off-by: Kamil <kamil.prz@gmail.com>
@kamilprz
add comments and merge windows targets
fdf1d47 
Signed-off-by: Kamil <kamil.prz@gmail.com>
@kamilprz
add back missing parameter
e7ad8ea 
Signed-off-by: Kamil <kamil.prz@gmail.com>
@kamilprz kamilprz marked this pull request as ready for review January 19, 2026 09:29
@kamilprz kamilprz requested a review from a team as a code owner January 19, 2026 09:29
@kamilprz kamilprz requested review from jimassa and vipul-21 January 19, 2026 09:29
@kamilprz
windows binaries
2e74221 
Signed-off-by: Kamil <kamil.prz@gmail.com>
@kamilprz
makefile target windows binaries
0573ed7 
Signed-off-by: Kamil <kamil.prz@gmail.com>
@kamilprz
add GOOS to binaries target in makefile
55db30e 
Signed-off-by: Kamil <kamil.prz@gmail.com>
@kamilprz
update win dockerfiles
7f1a801 
Signed-off-by: Kamil <kamil.prz@gmail.com>
@kamilprz
cleanup
f7007b7 
Signed-off-by: Kamil <kamil.prz@gmail.com>
apontejaj
apontejaj reviewed Jan 23, 2026
View reviewed changes
Comment thread .github/workflows/images.yaml
apontejaj
apontejaj reviewed Jan 23, 2026
View reviewed changes
Comment thread .github/workflows/images.yaml Outdated
kamilprz and others added 2 commits January 23, 2026 10:45
carlotaarvela
carlotaarvela reviewed Jan 26, 2026
View reviewed changes
Comment thread .github/workflows/images.yaml Outdated
Comment thread Makefile Outdated
Comment thread controller/Dockerfile.windows-retina-oss-build
@kamilprz
refactor windows job
ab09c07 
Signed-off-by: Kamil <kamil.prz@gmail.com>
@kamilprz
add dependency to agent-win on binaries target
613cc95 
Signed-off-by: Kamil <kamil.prz@gmail.com>
@kamilprz kamilprz added this pull request to the merge queue Jan 27, 2026
Merged via the queue into microsoft:main with commit fd482c0 Jan 27, 2026
32 checks passed
@kamilprz kamilprz deleted the kamilp/fedramp-cve branch January 27, 2026 16:58
@kamilprz kamilprz mentioned this pull request Jan 28, 2026
Merged
7 tasks
github-merge-queue Bot pushed a commit that referenced this pull request Jan 28, 2026
@kamilprz
fix: Release Container Images action for Windows (#2003)
815a096 
# Description

As part of PR #1997 I introduced changes to how the Windows images are
built. This was not carried over into the 'Release Container Images' job
and thus it failed after the PR was merged.

<img width="1253" height="497" alt="image"
src="https://github.com/user-attachments/assets/b00cee42-6700-46cd-8af1-bb548b118cdf"
/>

This PR addresses that. I ran the action on my branch and everything was
green.

<img width="1436" height="1015" alt="image"
src="https://github.com/user-attachments/assets/376ac9ec-1e37-443a-aa7d-81e156e4fd15"
/>


## Checklist

- [x] I have read the [contributing
documentation](https://retina.sh/docs/Contributing/overview).
- [x] I signed and signed-off the commits (`git commit -S -s ...`). See
[this
documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)
on signing commits.
- [x] I have correctly attributed the author(s) of the code.
- [x] I have tested the changes locally.
- [x] I have followed the project's style guidelines.
- [x] I have updated the documentation, if necessary.
- [x] I have added tests, if applicable.

---------

Signed-off-by: Kamil <kamil.prz@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexcastilio alexcastilio alexcastilio left review comments

@apontejaj apontejaj apontejaj left review comments

@carlotaarvela carlotaarvela carlotaarvela approved these changes

@jimassa jimassa Awaiting requested review from jimassa jimassa is a code owner automatically assigned from microsoft/retina

@vipul-21 vipul-21 Awaiting requested review from vipul-21 vipul-21 is a code owner automatically assigned from microsoft/retina

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kamilprz @alexcastilio @apontejaj @carlotaarvela