Skip to content

fix(sec): patch 3 critical CVEs, bump to v0.1.5 (closes #164)#172

Merged
longieirl merged 1 commit into
mainfrom
worktree-agent-a67bda03c787f209c
May 4, 2026
Merged

fix(sec): patch 3 critical CVEs, bump to v0.1.5 (closes #164)#172
longieirl merged 1 commit into
mainfrom
worktree-agent-a67bda03c787f209c

Conversation

@longieirl
Copy link
Copy Markdown
Owner

@longieirl longieirl commented May 4, 2026

Pull Request

Summary

Rebuilds the production Docker image to pick up openssl 3.5.5-1~deb13u2, resolving 3 critical CVE-2026-31789 findings detected by automated Trivy scanning (issue #164). Bumps version to 0.1.5.

The 3 criticals are all CVE-2026-31789 (OpenSSL heap buffer overflow on 32-bit systems from large X.509 certificate processing) affecting libssl3t64, openssl, and openssl-provider-legacy. The fix was released in Debian as openssl 3.5.5-1~deb13u2 after the v0.1.4 image was built. The existing apt-get upgrade -y in the production Dockerfile stage picks up the patched packages on every rebuild — no Dockerfile changes are needed.

Changes

  • Version bumped 0.1.4 -> 0.1.5 in all 3 version files (packages/parser-core/pyproject.toml, packages/parser-core/src/bankstatements_core/__version__.py, packages/parser-free/pyproject.toml)
  • CHANGELOG.md updated with CVE-2026-31789 details and affected packages

Type

  • Security

Testing

  • Tests pass (coverage ≥ 91%)
  • Manually tested
  • make docker-integration passed locally (Docker daemon unavailable in agent environment; CI Trivy gate will verify 0 criticals on rebuilt image)

Checklist

  • Code follows project style
  • Self-reviewed
  • Documentation updated (if needed)
  • No new warnings

Downstream impact

  • This PR changes a public interface in bankstatements_core (exported class, function, or exception)

@web-flow
fix(sec): bump to v0.1.5, document CVE-2026-31789 fix (closes #164)
a72e133 
- Bump version 0.1.4 -> 0.1.5 in all 3 version files
- Add CHANGELOG entry for 3 critical OpenSSL CVEs (CVE-2026-31789)
  affecting libssl3t64, openssl, openssl-provider-legacy
- Dockerfile apt-get upgrade already pulls openssl 3.5.5-1~deb13u2 fix
  on rebuild; no Dockerfile change needed
@longieirl longieirl self-assigned this May 4, 2026
@longieirl longieirl mentioned this pull request May 4, 2026
Closed
@github-actions github-actions Bot added the documentation Improvements or additions to documentation label May 4, 2026
@longieirl longieirl merged commit dc7d7ee into main May 4, 2026
14 checks passed
@longieirl longieirl deleted the worktree-agent-a67bda03c787f209c branch May 4, 2026 14:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@longieirl longieirl

Labels

documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@longieirl @web-flow