akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

docs: add comprehensive vulnerability acceptance and remediation reports for PR #461

Browse Source 
- Created `pr_461_remediation_complete.md` detailing the final remediation status, including bug fixes, test results, and coverage metrics.
- Added `pr_461_vulnerability_comment.md` summarizing the supply chain vulnerabilities accepted for PR #461, including risk assessments and mitigation strategies.
- Established `VULNERABILITY_ACCEPTANCE.md` to formally document the acceptance of 9 vulnerabilities in Alpine Linux packages, outlining the rationale, monitoring plans, and compliance with industry standards.

These documents ensure transparency and provide a clear audit trail for the vulnerability management process associated with PR #461.
This commit is contained in:
GitHub Actions
2026-01-14 00:44:27 +00:00
parent 4adcd9eda1
commit 27e4382482
9 changed files with 2441 additions and 121 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
SECURITY.md
View File

@@ -426,6 +426,24 @@ Charon maintains transparency about security issues and their resolution. Below
## Known Security Considerations
### Alpine Base Image Vulnerabilities (2026-01-13)
**Status**: 9 Alpine OS package vulnerabilities identified and accepted pending upstream patches.
**Affected Packages**:
- **busybox** (3 packages): CVE-2025-60876 (MEDIUM) - Heap buffer overflow
- **curl** (7 CVEs): CVE-2025-15079, CVE-2025-14819, CVE-2025-14524, CVE-2025-13034, CVE-2025-10966, CVE-2025-14017 (MEDIUM), CVE-2025-15224 (LOW)
**Risk Assessment**: LOW overall risk due to:
- No upstream patches available from Alpine Security Team
- Low exploitability in containerized deployment (no shell access, localhost-only curl usage)
- Multiple layers of defense-in-depth mitigation
- Active monitoring for patches
**Review Date**: 2026-02-13 (30 days)
**Details**: See [VULNERABILITY_ACCEPTANCE.md](docs/security/VULNERABILITY_ACCEPTANCE.md) for complete risk assessment, mitigation strategies, and monitoring plan.
### Third-Party Dependencies
**CrowdSec Binaries**: As of December 2025, CrowdSec binaries shipped with Charon contain 4 HIGH-severity CVEs in Go stdlib (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729). These are upstream issues in Go 1.25.1 and will be resolved when CrowdSec releases binaries built with Go 1.25.5+.