[SECURITY] Container vulnerabilities in distroless-main (2026-05-29)

[github-actions]

🚨 Container Image Vulnerabilities Detected

Image: ghcr.io/firestoned/bindy:main-distroless (Distroless Main Branch)
Scan Date: 2026-05-29T03:54:27.179Z

Summary

• 🔴 CRITICAL: 1
• 🟠 HIGH: 6
• 🟡 MEDIUM: 0

ghcr.io/firestoned/bindy:main-distroless (debian 12.12)

🔴 CRITICAL

• CVE-2026-31789: libssl3@3.0.17-1~deb12u3
  • openssl: OpenSSL: Heap buffer overflow on 32-bit systems from large X.509 certificate processing
  • Fix: Upgrade to 3.0.19-1~deb12u2

🟠 HIGH

• CVE-2025-15467: libssl3@3.0.17-1~deb12u3

  • openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing
  • Fix: Upgrade to 3.0.18-1~deb12u2

• CVE-2025-69421: libssl3@3.0.17-1~deb12u3

  • openssl: OpenSSL: Denial of Service via malformed PKCS#12 file processing
  • Fix: Upgrade to 3.0.18-1~deb12u2

• CVE-2026-28387: libssl3@3.0.17-1~deb12u3

  • openssl: OpenSSL: Arbitrary code execution due to use-after-free in DANE TLSA authentication
  • Fix: Upgrade to 3.0.19-1~deb12u2

• CVE-2026-28388: libssl3@3.0.17-1~deb12u3

  • openssl: OpenSSL: Denial of Service due to NULL pointer dereference in delta CRL processing
  • Fix: Upgrade to 3.0.19-1~deb12u2

• CVE-2026-28389: libssl3@3.0.17-1~deb12u3

  • openssl: OpenSSL: Denial of Service vulnerability in CMS processing
  • Fix: Upgrade to 3.0.19-1~deb12u2

... and 1 more HIGH

---

Action Required: Review and remediate vulnerabilities within SLA.

• CRITICAL: 24 hours
• HIGH: 7 days

Compliance: PCI-DSS 6.2, SOX IT Controls, Basel III Cyber Risk
Full Report: Check workflow artifacts for complete Trivy scan results

Note: If this is the Distroless variant, consider switching to the Chainguard variant which has daily security updates and zero known CVEs.