From 1c6fb95edf17b83764d5c982be4bd6985d33a29a Mon Sep 17 00:00:00 2001
From: Vinayak Bhardwaj <vinayak.bhardwaj@harness.io>
Date: Thu, 5 Mar 2026 15:18:29 +0530
Subject: [PATCH] fix: remediate CVE-2026-24051 - upgrade base image and buildx
 binary
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Upgrades both linux/amd64 and linux/arm64 Dockerfiles:
- docker base image: 28.1.1-dind -> 29.2.1-dind
- docker/buildx binary: v0.23.0 -> v0.31.1

The vulnerable package go.opentelemetry.io/otel/sdk@v1.31.0 is
bundled inside the docker/buildx binary. Upgrading to buildx v0.31.1
advances otel/sdk from v1.31.0 to v1.38.0.

Note: full remediation to otel/sdk >= v1.40.0 (the stated fix version
for CVE-2026-24051) is blocked upstream — no docker/buildx release
through v0.32.1 ships otel/sdk v1.40.0+. A follow-up ticket should be
created to re-evaluate once docker/buildx publishes a release that
pulls in otel/sdk >= v1.40.0.

Scan: vinayakharness/buildx-test:linux-amd64 (execution 0sihybi9TmKn63WWDi7mBg)

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 docker/docker/Dockerfile.linux.amd64 | 4 ++--
 docker/docker/Dockerfile.linux.arm64 | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/docker/docker/Dockerfile.linux.amd64 b/docker/docker/Dockerfile.linux.amd64
index aaf0049..0e0956f 100644
--- a/docker/docker/Dockerfile.linux.amd64
+++ b/docker/docker/Dockerfile.linux.amd64
@@ -1,4 +1,4 @@
-FROM docker:28.1.1-dind
+FROM docker:29.2.1-dind
 
 ENV DOCKER_HOST=unix:///var/run/docker.sock
 
@@ -7,7 +7,7 @@ ENV BUILDKIT_PROGRESS=plain
 ENV DOCKER_CLI_EXPERIMENTAL=enabled
 ENV PLUGIN_BUILDKIT_ASSETS_DIR=/buildkit
 
-ARG BUILDX_URL=https://github.com/docker/buildx/releases/download/v0.23.0/buildx-v0.23.0.linux-amd64
+ARG BUILDX_URL=https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64
 
 RUN mkdir -p $HOME/.docker/cli-plugins && \
     wget -O $HOME/.docker/cli-plugins/docker-buildx $BUILDX_URL && \
diff --git a/docker/docker/Dockerfile.linux.arm64 b/docker/docker/Dockerfile.linux.arm64
index 624f01b..1bb131b 100644
--- a/docker/docker/Dockerfile.linux.arm64
+++ b/docker/docker/Dockerfile.linux.arm64
@@ -1,4 +1,4 @@
-FROM arm64v8/docker:28.1.1-dind
+FROM arm64v8/docker:29.2.1-dind
 
 ENV DOCKER_HOST=unix:///var/run/docker.sock
 
@@ -7,7 +7,7 @@ ENV BUILDKIT_PROGRESS=plain
 ENV DOCKER_CLI_EXPERIMENTAL=enabled
 ENV PLUGIN_BUILDKIT_ASSETS_DIR=/buildkit
 
-ARG BUILDX_URL=https://github.com/docker/buildx/releases/download/v0.23.0/buildx-v0.23.0.linux-arm64
+ARG BUILDX_URL=https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-arm64
 
 RUN mkdir -p $HOME/.docker/cli-plugins && \
     wget -O $HOME/.docker/cli-plugins/docker-buildx $BUILDX_URL && \