From 23db31b60b8ef0770cf1f4e0a5b3785e8616592f Mon Sep 17 00:00:00 2001
From: sean wibisono <sean.wibisono@thetradedesk.com>
Date: Mon, 22 Jun 2026 10:43:00 +1000
Subject: [PATCH] UID2-7335: upgrade libexpat to patch CVE-2026-45186

Adds the Alpine libexpat package to the apk --no-cache --upgrade step so
libexpat is bumped to 2.8.1-r0 at build time, clearing the HIGH-severity
DoS-via-crafted-XML finding (CVE-2026-45186). Bumping the pinned base
image SHA is insufficient: the latest 21-jre-alpine-3.23 image still
ships libexpat 2.7.x. (Note: the vulnerable package is libexpat, a
separate subpackage from the standalone 'expat' CLI package.)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index e16b20a0..c09c7469 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -17,7 +17,7 @@ COPY ./conf/default-config.json /app/conf/
 COPY ./conf/*.xml /app/conf/
 COPY ./webroot/ /app/webroot/
 
-RUN apk add --no-cache --upgrade libpng libcrypto3 libssl3 musl musl-utils gnutls && adduser -D uid2-admin && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads
+RUN apk add --no-cache --upgrade libpng libcrypto3 libssl3 musl musl-utils gnutls libexpat && adduser -D uid2-admin && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads
 USER uid2-admin
 
 CMD java \