Skip to content

CPBR-3749: bump confluent-docker-utils to v0.0.170 (CVE-2026-25645)#1654

Closed
Nitin Singh (nitsingh-ui) wants to merge 1 commit into
8.0.2-cp7from
CPBR-3749-bump-docker-utils
Closed

CPBR-3749: bump confluent-docker-utils to v0.0.170 (CVE-2026-25645)#1654
Nitin Singh (nitsingh-ui) wants to merge 1 commit into
8.0.2-cp7from
CPBR-3749-bump-docker-utils

Conversation

@nitsingh-ui
Copy link
Copy Markdown
Member

@nitsingh-ui Nitin Singh (nitsingh-ui) commented May 5, 2026

Updating confluent-docker-utils to v0.0.170 to resolve CVE-2026-25645.

v0.0.170 ships requests~=2.33.0, replacing requests~=2.32.0 (which resolved to 2.32.5 and was flagged in cp-base-new and downstream cp-jmxterm images).

Upstream fix: confluentinc/confluent-docker-utils#222 (merged, tag v0.0.170 published).

JIRA: https://confluentinc.atlassian.net/browse/CPBR-3749

@nitsingh-ui Nitin Singh (nitsingh-ui) requested a review from a team as a code owner May 5, 2026 10:46
@nitsingh-ui Nitin Singh (nitsingh-ui) mentioned this pull request May 5, 2026
Open
@nitsingh-ui
Copy link
Copy Markdown
Member Author

Nitin Singh (nitsingh-ui) commented May 5, 2026

Superseded by #1655. The single-line docker-utils tag bump in this PR isn't enough — the new requests~=2.33.0 requires Python ≥3.10 but cp-base-new ships Python 3.9, so pip rejects the install at build time. #1655 ports the Python 3.14 from-source build from 8.0.x while preserving cp7's FIPS bits.

Closing this PR in favor of #1655.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nitsingh-ui