Skip to content

Update packages to fix CVEs in RHEL STIG images#290

Merged
almaslennikov merged 1 commit intoMellanox:network-operator-26.1.xfrom
almaslennikov:cve-fix-rhel-release
Feb 13, 2026
Merged

Update packages to fix CVEs in RHEL STIG images#290
almaslennikov merged 1 commit intoMellanox:network-operator-26.1.xfrom
almaslennikov:cve-fix-rhel-release

Conversation

@almaslennikov
Copy link
Collaborator

@almaslennikov almaslennikov commented Feb 13, 2026

CVE-2025-15467, CVE-2025-66418, CVE-2026-21441: python3-urllib3 -> 1.26.5-6.el9_7.1
CVE-2025-66471, CVE-2025-69421: openssl, openssl-libs -> 1:3.5.1-7.el9_7

@almaslennikov
Update packages to fix CVEs in RHEL STIG images
2ecd363 
CVE-2025-15467, CVE-2025-66418, CVE-2026-21441: python3-urllib3 -> 1.26.5-6.el9_7.1
CVE-2025-66471, CVE-2025-69421: openssl, openssl-libs -> 1:3.5.1-7.el9_7

Signed-off-by: Alexander Maslennikov <amaslennikov@nvidia.com>
@greptile-apps
Copy link

greptile-apps bot commented Feb 13, 2026

Greptile Overview

Greptile Summary

This PR adds a flexible mechanism to update specific packages in RHEL STIG images to address CVE vulnerabilities. The implementation adds a CVE_UPDATES_RHEL variable in the GitLab CI configuration that lists packages to update (openssl python3-urllib3), passes this as a build argument to both operator and daemon RHEL Dockerfiles, and performs conditional package updates using dnf update.

Key Changes:

  • Centralized CVE package list in .gitlab-ci.yml for easy maintenance
  • Conditional update step only runs when CVE_UPDATES_RHEL is non-empty
  • Applied consistently to both operator and daemon RHEL STIG images
  • Proper cleanup with dnf clean all to minimize image size

Note: The CVE numbers in the PR description appear to have formatting issues - CVE-2025-66418, CVE-2026-21441, CVE-2025-66471, and CVE-2025-69421 use unusually high CVE-ID numbers and one references 2026. Verify these CVE identifiers are correct.

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk
  • The implementation is clean, follows Docker best practices with conditional execution and cleanup, and maintains consistency across both RHEL STIG Dockerfiles. The changes are additive and don't modify existing functionality. Package updates are a standard security practice for addressing CVEs.
  • No files require special attention

Important Files Changed

Filename Overview
.gitlab-ci.yml Added CVE_UPDATES_RHEL variable and passed it as build arg to RHEL STIG image builds
Dockerfile.daemon.stig-rhel Added conditional dnf update step for CVE packages specified via build arg
Dockerfile.operator.stig-rhel Added conditional dnf update step for CVE packages specified via build arg

Last reviewed commit: 2ecd363

greptile-apps[bot]
greptile-apps bot reviewed Feb 13, 2026
View reviewed changes
Copy link

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

@almaslennikov almaslennikov merged commit 709c747 into Mellanox:network-operator-26.1.x Feb 13, 2026
5 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@almaslennikov