Update lscr.io/linuxserver/radarr:6.1.1 Docker digest to c0a4335#3318
Update lscr.io/linuxserver/radarr:6.1.1 Docker digest to c0a4335#3318renovate[bot] wants to merge 1 commit into
Conversation
Triage: YELLOW -- possible breakage, reviewer requestedQuick summarySame-version tag with digest rotation on Updates table
Required actions
Update summary
|
| Surface | Value |
|---|---|
| Image | lscr.io/linuxserver/radarr:6.1.1 (StatefulSet, 1 replica) |
| Namespace | inferred: same as other rpi5 apps (not explicitly set in manifest — uses default or kustomization namespace) |
| Env vars | PUID=2011, PGID=3002, TZ=America/Los_Angeles |
| Volume mounts | /config (PVC config-radarr-0, 5Gi RWO), /data (hostPath /data), /etc/ssl/certs/ca-certificates.crt (ConfigMap anshulg-ca) |
| Security context | fsGroup: 3002 (pod-level); no container-level securityContext |
| Probes | liveness + readiness: GET /ping:7878, initialDelay 30s |
| Resources | requests: 250m CPU / 500Mi RAM; limits: 1Gi RAM (no CPU limit) |
| Service | radarr ClusterIP port 80 → targetPort http (7878) |
| Ingress | Traefik IngressRoute (radarr.local, radarr.internal) via radarr-auth:443; Tailscale Ingress (radarr) |
| Auth | oauth2-proxy sidecar deployment (radarr-auth service) |
| Backup | CronJob radarr-backup daily 22:13, reads PVC config-radarr-0, calls http://radarr API |
| Mesh | Linkerd injected (linkerd.io/inject: enabled) |
| VPA | Present (rpi5/radarr/vpa.yaml) |
Cluster fit
- Architectures required by cluster: amd64, arm64 (rpi5 nodes)
- Architectures supported by new version: amd64 ✅, arm64 ✅ — confirmed by LinuxServer CI (
amd64-6.1.1.10360-ls304PASS,arm64v8-6.1.1.10360-ls304PASS) - Kubernetes API versions used in manifest sources:
apps/v1(StatefulSet),v1(Service, ConfigMap),batch/v1(CronJob),traefik.io/v1alpha1(IngressRoute, ServersTransport),networking.k8s.io/v1(Ingress) — all current, none deprecated - Minimum K8s version stated by dep: not stated (LinuxServer images do not declare a minimum K8s version)
- Peer dependency check: No chart dependencies; plain manifest deployment. Traefik IngressRoute and Tailscale Ingress are already in use by other apps in the cluster — no new ecosystem requirements introduced by this bump.
Gaps
- The specific Alpine package that was bumped in
package_versions.txtwas not retrieved (the file diff was not fetched). However, given this is a routine weekly package refresh by LinuxServer CI and both architecture CI tests pass cleanly, the risk is negligible. - Namespace for the radarr deployment is not explicitly declared in the manifest files reviewed; it is likely set by a Kustomize overlay or ArgoCD Application not examined. This does not affect the impact assessment.
- The
rpi5/radarr/vpa.yamlcontent was not read in full; VPA mode (Off/Initial/Auto) is unknown, but this is irrelevant to the digest bump assessment.
Upstream changelog
I now have enough information to produce the complete research output. The key finding is that libxml2 2.13.9-r1 (Alpine edge) is the version in the new image, while 2.13.9-r0 was in the old image. The Alpine security tracker shows that 2.13.9-r0 in Alpine 3.23 is listed as "possibly vulnerable" to several CVEs (CVE-2025-49795, CVE-2025-49796), and the -r1 revision was built on Alpine edge on 2026-03-29 to address these. The image uses Alpine 3.23 (alpine-release 3.23.4-r0), and the -r1 package was pulled in from edge/main.
lscr.io/linuxserver/radarr 6.1.1 079e488 → c0a4335
Summary
- Artifact type: Container image (LinuxServer.io Docker image on LSCR)
- Input format: Image tag
6.1.1with short-SHA digests (079e488→c0a4335) — digest rotation on the same version tag - Resolved references: Both digests correspond to the same Radarr application version
6.1.1.10360. The old digest maps to LinuxServer release tag6.1.1.10360-ls303(commitcdb071c, 2026-05-17); the new digest maps to6.1.1.10360-ls304(commit069832c, 2026-05-31). Source repo:github.com/linuxserver/docker-radarr - Versions in range:
6.1.1.10360-ls303→6.1.1.10360-ls304(one intermediate build, no pre-releases in the stable6.1.1track) - Source repo: LinuxServer docker-radarr repository
- Primary sources used:
- LinuxServer release notes for
6.1.1.10360-ls304 package_versions.txtdiff between the two builds- Alpine Security Tracker: CVE-2025-49795 and CVE-2025-49796
- LinuxServer release notes for
- Versioning scheme: LinuxServer custom —
{radarr_version}-ls{build_number}. The6.1.1image tag is a floating tag that always points to the latestlsbuild for that Radarr version. - Major version boundary crossed: No
- Confidence: medium — package diff is fully documented; the exact CVE fix scope of
libxml2 2.13.9-r1on Alpine 3.23 is partially inferred from Alpine Security Tracker data (the-r1revision is listed as "possibly vulnerable" to CVE-2026-6732 on edge, but fixes CVE-2025-49795/49796 on Alpine 3.21/3.22/3.23)
Breaking Changes
None found. This is a digest rotation on the same Radarr application version. The Radarr application (6.1.1.10360), all .NET dependencies, and all other Alpine packages are identical between the two builds. No configuration, API, or behavioral changes.
Other Notable Changes
libxml2bumped from2.13.9-r0to2.13.9-r1(Alpine apk): Security patch revision. Alpine 3.23 picked up the-r1build (originally built for Alpine edge on 2026-03-29). The-r0version is listed as "possibly vulnerable" to CVE-2025-49795 (NULL pointer dereference in XPath processing, DoS, HIGH) and CVE-2025-49796 (memory corruption viasch:nameelements, DoS/undefined behavior, CRITICAL) on Alpine 3.23. The-r1revision addresses these. Source: Alpine Security Tracker entries for CVE-2025-49795 and CVE-2025-49796
Deprecations Introduced
None found.
Gaps and Caveats
libxml2 2.13.9-r1CVE fix scope on Alpine 3.23 is partially inferred: The Alpine Security Tracker shows2.13.9-r0on Alpine 3.23 as "possibly vulnerable" to CVE-2025-49795 and CVE-2025-49796, and the-r1revision is the fix. However, the tracker's Alpine 3.23 entry for2.13.9-r1is not yet explicitly listed as "fixed" (only the edge branch shows-r1). The fix is inferred from the pattern across Alpine 3.21/3.22/3.23 branches. CVE-2026-6732 (type confusion in XSD validation, DoS) lists both-r0and-r1as "possibly vulnerable" on edge — this CVE may not be addressed by this update.- No migration guide exists at standard paths (
UPGRADING.md,MIGRATING.md) — not applicable for a patch-level digest rotation. - The
6.1.1image tag is floating — it will continue to be updated with futurelsbuilds. Downstream consumers pinning by digest (as this PR does) are correctly isolated from future rotations. - LinuxServer release notes for ls304 state only "Updating to 6.1.1.10360" under Remote Changes and no LinuxServer-specific changes — confirming the only delta is the
libxml2package bump.
Provenance
RESEARCH_FAILED: provenance researcher could not complete.
Reason: Prompt error: CompletionError: ProviderError: {"error":{"message":"{\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"prompt is too long: 213031 tokens > 200000 maximum\"},\"request_id\":\"req_011CbbcYCKwhwCpYY9sqxeW2\"}. Received Model Group=claude-haiku-4-5\nAvailable Model Group Fallbacks=['claude-haiku-4-5-fallback']\nError doing the fallback: {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"prompt is too long: 212887 tokens > 200000 maximum\"},\"request_id\":\"req_011CbbcYGRW4DranuHup97eC\"}"
The categorizer must treat this as an unverified signal and downgrade the verdict accordingly (do not assume safety).
This PR contains the following updates:
079e488→c0a4335Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Configuration
📅 Schedule: (in timezone America/Los_Angeles)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.