Skip to content

chore: pin curl/libcurl to ^8.20.0-r0 to address CVE-2026-6276#1449

Draft
linear-code[bot] wants to merge 2 commits into
mainfrom
linear/sou-1506-sourcebot-devsourcebot-cve-2026-6276-curl-libcurl-e1bc
Draft

chore: pin curl/libcurl to ^8.20.0-r0 to address CVE-2026-6276#1449
linear-code[bot] wants to merge 2 commits into
mainfrom
linear/sou-1506-sourcebot-devsourcebot-cve-2026-6276-curl-libcurl-e1bc

Conversation

@linear-code

@linear-code linear-code Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Fixes SOU-1506

Addresses CVE-2026-6276 (libcurl information disclosure: cookie leak when reusing connections with custom Host: headers), flagged by Trivy against the Docker image's curl/libcurl (installed 8.19.0-r0, fixed in 8.20.0-r0).

Alpine 3.23 now ships the patched curl 8.20.0-r0. The runner stage already runs apk upgrade --no-cache, but the scan reflects a build from before the patched version was published. This pins curl and libcurl to >=8.20.0-r0 in the runner apk add so the patched version is required explicitly and the build fails loudly if it isn't available. libcurl is pinned explicitly since it's pulled in transitively by curl, git, and wget.

Note: sibling PRs #1444, #1445, and #1446 make the same >=8.20.0-r0 pin for other curl CVEs (all fixed in the same upstream release). These can be consolidated into a single PR at merge if preferred.

linear-code Bot added 2 commits July 14, 2026 13:40
Fixes SOU-1506

Addresses CVE-2026-6276 (libcurl cookie leak on connection reuse with
custom Host headers), flagged by Trivy against the Docker image's
curl/libcurl (installed 8.19.0-r0, fixed in 8.20.0-r0).

The runner stage already runs apk upgrade --no-cache and Alpine 3.23
ships the patched curl 8.20.0-r0, but the scan reflects a build from
before it was published. Pin curl and libcurl to >=8.20.0-r0 in the
runner apk add so the patched version is required explicitly.

Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1506/sourcebot-devsourcebot-cve-2026-6276-curl-libcurl-information#agent-session-8984563e)

Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1506/sourcebot-devsourcebot-cve-2026-6276-curl-libcurl-information#agent-session-8984563e)

Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants