fix: resolve April 2026 docker-ptf security vulnerabilities by auspham · Pull Request #26676 · sonic-net/sonic-buildimage

auspham · 2026-04-09T11:17:08Z

Why I did it

Attempt to fix new docker-ptf security vulnerability as of 04/2026

This pull request updates the dockers/docker-ptf/Dockerfile.j2 to incorporate several dependency upgrades and security improvements. The main focus is on updating Go and related dependencies to address vulnerabilities and ensure compatibility with the latest features and fixes.

Dependency and version updates:

Upgraded the Go version used in the Docker image from 1.25.8 to 1.25.9 for improved stability and security.
Updated the go.opentelemetry.io/otel/sdk dependency from version v1.40.0 to v1.43.0 for the gnmic build process.
Added or updated the github.com/go-jose/go-jose/v4 dependency to version v4.1.4 in the build steps for grpcurl, gnoic, and gnmic to ensure consistent cryptography support. [1] [2] [3]
Added the latest versions of github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream and github.com/aws/aws-sdk-go-v2/service/s3 as dependencies for the gnmic build.

Security improvements:

Included a system package upgrade step to address vulnerabilities such as CVE-2026-33416 and CVE-2026-33636 (affecting libpng16-16), among others.

Work item tracking

Microsoft ADO (number only):

How I did it

How to verify it

Which release branch to backport (provide reason below if selected)

Tested branch (Please provide the tested image version)

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

mssonicbld · 2026-04-09T11:17:16Z

/azp run Azure.sonic-buildimage

linux-foundation-easycla · 2026-04-09T11:17:17Z

The committers listed above are authorized under a signed CLA.

✅ login: auspham / name: Austin Pham (e60cdf2)
✅ login: Copilot / name: Copilot (e60cdf2)

azure-pipelines · 2026-04-09T11:17:29Z

Azure Pipelines successfully started running 1 pipeline(s).

Copilot

Pull request overview

Updates the docker-ptf container build to remediate newly reported April 2026 security findings by upgrading the Go toolchain and several Go module dependencies used to build included utilities.

Changes:

Bump Go toolchain used during image build from 1.25.8 to 1.25.9.
Add/update Go module dependencies for grpcurl/gnoic/gnmic builds (notably go-jose/v4 and otel/sdk).
Add an additional OS package upgrade step and pull in AWS SDK modules for gnmic.

mssonicbld · 2026-04-09T14:11:00Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-04-09T14:11:16Z

Azure Pipelines successfully started running 1 pipeline(s).

mssonicbld · 2026-04-09T14:13:58Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-04-09T14:14:11Z

Azure Pipelines successfully started running 1 pipeline(s).

mssonicbld · 2026-04-09T14:28:15Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-04-09T14:28:30Z

Azure Pipelines successfully started running 1 pipeline(s).

Copilot

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

mssonicbld · 2026-04-09T14:39:13Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-04-09T14:39:26Z

Azure Pipelines successfully started running 1 pipeline(s).

mssonicbld · 2026-04-09T14:54:04Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-04-09T14:54:18Z

Azure Pipelines successfully started running 1 pipeline(s).

Copilot

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

mssonicbld · 2026-04-09T15:06:24Z

/azp run Azure.sonic-buildimage

mssonicbld · 2026-04-14T00:30:43Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-04-14T00:30:55Z

Azure Pipelines successfully started running 1 pipeline(s).

mssonicbld · 2026-04-14T00:33:45Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-04-14T00:33:57Z

Azure Pipelines successfully started running 1 pipeline(s).

Copilot

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

- Upgrade Go toolchain 1.25.8 → 1.25.9 (fixes CVE-2026-32280 through CVE-2026-32289: stdlib crypto/tls, archive/tar, html/template, os) - Bump go.opentelemetry.io/otel/sdk v1.40.0 → v1.43.0 in gnmic (CVE-2026-39883: PATH hijacking via BSD kenv) - Add github.com/go-jose/go-jose/[email protected] to gnmic, gnoic, grpcurl (CVE-2026-34986: DoS via crafted JSON Web Encryption) - Bump github.com/docker/docker to latest in gnmic (CVE-2026-34040: authorization bypass, CVE-2026-33997: privilege validation bypass during plugin installation) - Add aws-sdk-go-v2 eventstream/s3 latest to gnmic (GHSA-xmrv-pmrh-hhx2: DoS via panic in AWS SDK for Go v2) - Existing apt-get upgrade covers libpng16-16 fix (CVE-2026-33416: use-after-free, CVE-2026-33636: OOB read/write) Co-authored-by: Copilot <[email protected]> Signed-off-by: Ubuntu <austinpham@austinpham-dev-vm-2.d4y3nv5wwgfelhhopdxv1tqjld.dx.internal.cloudapp.net> Signed-off-by: Austin Pham (agent) <[email protected]>

mssonicbld · 2026-04-14T02:14:29Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-04-14T02:14:41Z

Azure Pipelines successfully started running 1 pipeline(s).

Cherry-pick e60cdf2 to bring Go 1.25.9, go-jose/v4, otel/sdk, aws-sdk-go-v2/s3 upgrades and gocloud-patches to 202411 branch. Co-authored-by: Copilot <[email protected]> Signed-off-by: Austin Pham (agent) <[email protected]>

mssonicbld · 2026-04-17T05:54:38Z

Cherry-pick PR to 202511: #26866

Cherry-pick e60cdf2 to bring Go 1.25.9, go-jose/v4, otel/sdk, aws-sdk-go-v2/s3 upgrades and gocloud-patches to 202411 branch. Co-authored-by: Copilot <[email protected]> Signed-off-by: Austin Pham (agent) <[email protected]>

mssonicbld · 2026-04-23T04:58:49Z

The change is not in 202505 yet. @auspham, please manually create the cherry pick PR for branch 202505.
You can ping the release branch owner(github account: ) to approve your cherry pick PR.
If this change is already in 202505, please comment "already in 202505". Thanks!

_{---Powered by SONiC BuildBot}

Copilot AI review requested due to automatic review settings April 9, 2026 11:17

auspham requested a review from lguohan as a code owner April 9, 2026 11:17

Copilot started reviewing on behalf of auspham April 9, 2026 11:17 View session

Copilot AI reviewed Apr 9, 2026

View reviewed changes

Comment thread dockers/docker-ptf/Dockerfile.j2

Comment thread dockers/docker-ptf/Dockerfile.j2

auspham force-pushed the austinpham/36979761-resolve-april-docker-ptf-vulnerability branch from 13f390b to 86d2223 Compare April 9, 2026 14:10

auspham force-pushed the austinpham/36979761-resolve-april-docker-ptf-vulnerability branch from 86d2223 to cf7438e Compare April 9, 2026 14:13

Copilot AI review requested due to automatic review settings April 9, 2026 14:28

auspham force-pushed the austinpham/36979761-resolve-april-docker-ptf-vulnerability branch from cf7438e to 2ca0308 Compare April 9, 2026 14:28

Copilot started reviewing on behalf of auspham April 9, 2026 14:28 View session

Copilot AI reviewed Apr 9, 2026

View reviewed changes

auspham force-pushed the austinpham/36979761-resolve-april-docker-ptf-vulnerability branch from 2ca0308 to 6c3af36 Compare April 9, 2026 14:39

Copilot AI review requested due to automatic review settings April 9, 2026 14:53

auspham force-pushed the austinpham/36979761-resolve-april-docker-ptf-vulnerability branch from 6c3af36 to cddd862 Compare April 9, 2026 14:53

Copilot started reviewing on behalf of auspham April 9, 2026 14:54 View session

Copilot AI reviewed Apr 9, 2026

View reviewed changes

Comment thread dockers/docker-ptf/Dockerfile.j2 Outdated

Comment thread dockers/docker-ptf/Dockerfile.j2

auspham force-pushed the austinpham/36979761-resolve-april-docker-ptf-vulnerability branch from cddd862 to c4d2f46 Compare April 9, 2026 15:06

Copilot AI review requested due to automatic review settings April 14, 2026 00:30

auspham force-pushed the austinpham/36979761-resolve-april-docker-ptf-vulnerability branch from 5dfdbb9 to 950ccb1 Compare April 14, 2026 00:30

Copilot started reviewing on behalf of auspham April 14, 2026 00:31 View session

auspham force-pushed the austinpham/36979761-resolve-april-docker-ptf-vulnerability branch from 950ccb1 to 7b452c3 Compare April 14, 2026 00:33

Copilot AI reviewed Apr 14, 2026

View reviewed changes

Comment thread dockers/docker-ptf/Dockerfile.j2 Outdated

Comment thread dockers/docker-ptf/Dockerfile.j2 Outdated

Comment thread dockers/docker-ptf/Dockerfile.j2 Outdated

auspham force-pushed the austinpham/36979761-resolve-april-docker-ptf-vulnerability branch from 7b452c3 to e60cdf2 Compare April 14, 2026 02:14

wangxin approved these changes Apr 15, 2026

View reviewed changes

yejianquan merged commit e44fc72 into sonic-net:master Apr 16, 2026
23 checks passed

auspham added Request for 202505 Branch Request for 202511 Branch labels Apr 17, 2026

mssonicbld added the Cherry Pick Conflict_202505 label Apr 17, 2026

auspham mentioned this pull request Apr 17, 2026

[202505] fix: resolve April 2026 docker-ptf security vulnerabilities (#26676) #26860

Merged

8 tasks

vmittal-msft added the Approved for 202511 Branch label Apr 17, 2026

mssonicbld mentioned this pull request Apr 17, 2026

[action] [PR:26676] fix: resolve April 2026 docker-ptf security vulnerabilities #26866

Merged

8 tasks

mssonicbld added the Created PR to 202511 Branch label Apr 17, 2026

mssonicbld added Included in 202511 Branch and removed Created PR to 202511 Branch labels Apr 21, 2026

Conversation

auspham commented Apr 9, 2026

Why I did it

Work item tracking

How I did it

How to verify it

Which release branch to backport (provide reason below if selected)

Tested branch (Please provide the tested image version)

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

Uh oh!

mssonicbld commented Apr 9, 2026

Uh oh!

linux-foundation-easycla Bot commented Apr 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

azure-pipelines Bot commented Apr 9, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

mssonicbld commented Apr 9, 2026

Uh oh!

azure-pipelines Bot commented Apr 9, 2026

Uh oh!

mssonicbld commented Apr 9, 2026

Uh oh!

azure-pipelines Bot commented Apr 9, 2026

Uh oh!

mssonicbld commented Apr 9, 2026

Uh oh!

azure-pipelines Bot commented Apr 9, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

mssonicbld commented Apr 9, 2026

Uh oh!

azure-pipelines Bot commented Apr 9, 2026

Uh oh!

mssonicbld commented Apr 9, 2026

Uh oh!

azure-pipelines Bot commented Apr 9, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

mssonicbld commented Apr 9, 2026

Uh oh!

mssonicbld commented Apr 14, 2026

Uh oh!

azure-pipelines Bot commented Apr 14, 2026

Uh oh!

mssonicbld commented Apr 14, 2026

Uh oh!

azure-pipelines Bot commented Apr 14, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

mssonicbld commented Apr 14, 2026

Uh oh!

azure-pipelines Bot commented Apr 14, 2026

Uh oh!

Uh oh!

mssonicbld commented Apr 17, 2026

Uh oh!

mssonicbld commented Apr 23, 2026

linux-foundation-easycla Bot commented Apr 9, 2026 •

edited

Loading