From e74b53dec1bbe4a1af90f878169f1a0856768853 Mon Sep 17 00:00:00 2001 From: June Chen Date: Wed, 25 Mar 2026 23:32:22 +0000 Subject: [PATCH] Updates the Go toolchain, application dependencies, and OS-level packages to resolve multiple security vulnerabilities identified in remediation Key changes: - Bumps Go builder stage to 1.24.13 to fix standard library and toolchain CVEs (e.g., CVE-2025-68121, CVE-2025-61732). - Switches to bullseye base image to ensure GLIBC compatibility between the builder and the Ollama runner stage. - Adds 'apt-get upgrade' to the runner stage to install the latest Ubuntu security patches for OpenSSL, libssh, and curl. - Updates google.golang.org/grpc to 1.79.3 (fixes CVE-2026-33186). - Updates golang.org/x/crypto to 0.45.0 (fixes CVE-2025-58181). --- Demos/Gemma-on-Cloudrun/Dockerfile | 4 ++-- Demos/Gemma-on-Cloudrun/go.mod | 18 ++++++++++-------- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/Demos/Gemma-on-Cloudrun/Dockerfile b/Demos/Gemma-on-Cloudrun/Dockerfile index 90c06bfd..fb94ca8b 100644 --- a/Demos/Gemma-on-Cloudrun/Dockerfile +++ b/Demos/Gemma-on-Cloudrun/Dockerfile @@ -1,5 +1,5 @@ # === Stage 1: Build proxy server === -FROM golang:1.24-alpine as proxy_builder +FROM golang:1.24.13-alpine as proxy_builder LABEL stage="proxy-builder" # Create and change to the app directory. @@ -21,7 +21,7 @@ FROM ollama/ollama:latest as ollama_builder LABEL stage="ollama-builder" # Install curl. It's used in the start_script.sh to check Ollama health status. -RUN apt-get update && apt-get install -y curl +RUN apt-get update && apt-get upgrade -y && apt-get install -y curl # Copy the proxy server binary to the ollama image. COPY --from=proxy_builder /app/server /app/server diff --git a/Demos/Gemma-on-Cloudrun/go.mod b/Demos/Gemma-on-Cloudrun/go.mod index b6139996..6ffb33dc 100644 --- a/Demos/Gemma-on-Cloudrun/go.mod +++ b/Demos/Gemma-on-Cloudrun/go.mod @@ -1,11 +1,13 @@ module cloudrungemma -go 1.24 +go 1.24.0 + +toolchain go1.24.13 require ( cloud.google.com/go/ai v0.10.2 github.com/openai/openai-go v0.1.0-beta.10 - google.golang.org/protobuf v1.36.6 + google.golang.org/protobuf v1.36.10 ) require ( @@ -14,10 +16,10 @@ require ( github.com/tidwall/match v1.1.1 // indirect github.com/tidwall/pretty v1.2.1 // indirect github.com/tidwall/sjson v1.2.5 // indirect - golang.org/x/net v0.39.0 // indirect - golang.org/x/sys v0.32.0 // indirect - golang.org/x/text v0.24.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20250414145226-207652e42e2e // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e // indirect - google.golang.org/grpc v1.71.1 // indirect + golang.org/x/net v0.48.0 // indirect + golang.org/x/sys v0.39.0 // indirect + golang.org/x/text v0.32.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect + google.golang.org/grpc v1.79.3 // indirect )