Skip to content

Update Container images - All - Major, minor and patch #159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AlexSkrypnyk merged 1 commit into from
Mar 26, 2026
Merged

Update Container images - All - Major, minor and patch #159

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .docker/clamav.dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,9 @@
# @see https://hub.docker.com/r/uselagoon/commons/tags
# @see https://github.com/uselagoon/lagoon-images/tree/main/images/commons

FROM uselagoon/commons:26.2.0 AS commons
FROM uselagoon/commons:26.3.0 AS commons

FROM clamav/clamav-debian:1.5.2-32
FROM clamav/clamav-debian:1.5.2-34
Comment on lines +13 to +15
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify Docker image versions exist and check release information

echo "=== Verifying uselagoon/commons:26.3.0 ==="
docker manifest inspect uselagoon/commons:26.3.0 > /dev/null 2>&1 && echo "✓ Image exists" || echo "✗ Image not found"

echo -e "\n=== Verifying clamav/clamav-debian:1.5.2-34 ==="
docker manifest inspect clamav/clamav-debian:1.5.2-34 > /dev/null 2>&1 && echo "✓ Image exists" || echo "✗ Image not found"

echo -e "\n=== Checking for GitHub security advisories ==="
# Check ClamAV advisories
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: PIP, package: "clamav") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: drevops/website

Length of output: 396

🌐 Web query:

ClamAV 1.5.2 release notes and changelog

💡 Result:

ClamAV 1.5.2 is a security patch release published on March 4, 2026. It addresses several vulnerabilities and bugs. Key changes include: - CVE-2026-20031: Fixed an error handling bug in the HTML file parser that may crash the program and cause a denial-of-service (DoS) condition. This issue was introduced in version 1.1.0. - Fixed a possible crash caused by invalid pointer alignment on some platforms (courtesy of Hsuan-Ming Chen at Synology PSIRT). - Upgraded the Rust bytes dependency to resolve RUSTSEC-2026-0007 advisory. - Freshclam: Fixed CLD verification bug with PrivateMirror option. - The CVD verification process now ignores certificate files in the CVD certs directory when the user lacks read permissions. - Fixed a possible crash on Windows when scanning some files while using LeaveTemporaryFiles and TemporaryDirectory options. - Fixed a possible infinite loop when scanning some JPEG files by upgrading the affected ClamAV dependency (a Rust image library). Note: This requires a newer Rust compiler (minimum 1.87.0). Downloads are available on the official ClamAV downloads page, GitHub releases, and Docker Hub. This is a patch release on top of 1.5.0/1.5.1, focusing on security fixes shared with 1.4.4.

Citations:

🌐 Web query:

uselagoon/commons Docker image version 26.3.0 changelog

💡 Result:

No changelog found for uselagoon/commons Docker image version 26.3.0. The official GitHub releases page for uselagoon/lagoon-images (https://github.com/uselagoon/lagoon-images/releases) shows the latest release as 26.1.0 (January 21, 2025), which includes general changes like updating base images to Alpine 3.23 and various dependency updates. Docker Hub tags for uselagoon/commons list up to 26.1.0, with no mention of 26.3.0. Other Lagoon images like nginx-drupal and varnish-6 have tags up to 26.2.0. Version 26.3.0 may not exist or has not been publicly released as of 2026-03-26.

Citations:

🌐 Web query:

clamav/clamav-debian Docker image 1.5.2-34 release

💡 Result:

The clamav/clamav-debian:1.5.2-34 Docker image is an official, multi-architecture (linux/amd64, linux/arm64, linux/ppc64le) Debian-based image for ClamAV version 1.5.2. It was last pushed about 12 hours ago (as of 2026-03-26) by clambotgen84202. The image size is approximately 184 MB for amd64, 181 MB for arm64, and 188 MB for ppc64le. It includes preloaded ClamAV signature databases. This tag follows the naming convention <ClamAV_version>-<build_revision>, where 1.5.2 is the recent security patch release (published March 2026, fixing CVE-2026-20031 in HTML parser, Rust dependency upgrades, freshclam fixes, and pointer alignment crashes), and -34 is the 34th build/revision of that version, likely incorporating Debian base image security updates or minor rebuilds. Images are built weekly for base OS security fixes. Pull command: docker pull clamav/clamav-debian:1.5.2-34 Documentation and usage: https://docs.clamav.net/manual/Installing/Docker.html. Mount /var/lib/clamav for persistent databases. clamd listens on TCP 3310. Equivalent tags: 1.5.2, latest, stable (point to this build).

Citations:

uselagoon/commons:26.3.0 does not exist—use 26.1.0 or 26.2.0 instead.

The uselagoon/commons version 26.3.0 specified on line 13 does not appear to exist. The latest official release from uselagoon/lagoon-images is 26.1.0 (published January 2025), with other Lagoon images having tags up to 26.2.0. This will cause build failures. Use an available version from the Docker Hub registry.

The clamav/clamav-debian:1.5.2-34 update on line 15 is valid and recommended—it includes the ClamAV 1.5.2 security patch released March 2026, which fixes CVE-2026-20031 in the HTML file parser and other critical vulnerabilities.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.docker/clamav.dockerfile around lines 13 - 15, The Dockerfile references a
non-existent uselagoon image tag "uselagoon/commons:26.3.0" (FROM
uselagoon/commons:26.3.0 AS commons); update that tag to a valid published
release such as 26.1.0 or 26.2.0 to avoid build failures, leaving the clamav
base (FROM clamav/clamav-debian:1.5.2-34) unchanged as it is the recommended,
patched image. Ensure the FROM line for uselagoon/commons is replaced with
either "uselagoon/commons:26.1.0" or "uselagoon/commons:26.2.0".


COPY --from=commons /lagoon /lagoon
COPY --from=commons /bin/fix-permissions /bin/ep /bin/docker-sleep /bin/wait-for /bin/
Expand Down
2 changes: 1 addition & 1 deletion .docker/cli.dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
# @see https://hub.docker.com/r/uselagoon/php-8.3-cli-drupal/tags
# @see https://github.com/uselagoon/lagoon-images/tree/main/images/php-cli-drupal

FROM uselagoon/php-8.3-cli-drupal:26.2.0
FROM uselagoon/php-8.3-cli-drupal:26.3.0

# Add missing variables.
# @todo Remove once https://github.com/uselagoon/lagoon/issues/3121 is resolved.
Expand Down
2 changes: 1 addition & 1 deletion .docker/database.dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
#
# The ARG value will be updated with a value passed from docker-compose.yml

ARG IMAGE=uselagoon/mysql-8.4:26.2.0
ARG IMAGE=uselagoon/mysql-8.4:26.3.0
# hadolint ignore=DL3006
FROM ${IMAGE}

Expand Down
2 changes: 1 addition & 1 deletion .docker/nginx-drupal.dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ ARG CLI_IMAGE
# hadolint ignore=DL3006
FROM ${CLI_IMAGE:-cli} AS cli

FROM uselagoon/nginx-drupal:26.2.0
FROM uselagoon/nginx-drupal:26.3.0

# Webroot is used for Nginx web root configuration.
ARG WEBROOT=web
Expand Down
2 changes: 1 addition & 1 deletion .docker/php.dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ ARG CLI_IMAGE
# hadolint ignore=DL3006
FROM ${CLI_IMAGE:-cli} AS cli

FROM uselagoon/php-8.3-fpm:26.2.0
FROM uselagoon/php-8.3-fpm:26.3.0

RUN apk add --no-cache tzdata

Expand Down
2 changes: 1 addition & 1 deletion .docker/solr.dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
# @see https://hub.docker.com/r/uselagoon/solr-9-drupal/tags
# @see https://github.com/uselagoon/lagoon-images/blob/main/images/solr-drupal/9.Dockerfile

FROM uselagoon/solr-9-drupal:26.2.0
FROM uselagoon/solr-9-drupal:26.3.0

# Solr jump-start config needs to be manually copied from the search_api_solr
# Drupal module to .docker/config/solr/config-set.
Expand Down
Loading