akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

chore: clean git cache

Browse Source
This commit is contained in:
GitHub Actions
2026-02-09 21:42:54 +00:00
parent 177e309b38
commit 74a51ee151
1800 changed files with 0 additions and 619528 deletions
Download Patch File Download Diff File Expand all files Collapse all files

192
docs/security/accepted-risks.md
View File

@@ -1,192 +0,0 @@
# Accepted Security Risks
This document tracks security vulnerabilities that have been assessed and accepted as low-risk, pending upstream patches.
---
## Alpine Linux Base Image Vulnerabilities
### CVE-2025-60876 (busybox, busybox-binsh, ssl_client)
**Status**: ⚠️ ACCEPTED - Pending Alpine Security Patch
**Date Accepted**: 2026-01-11
**Severity**: Medium
**CVSS**: TBD
#### Affected Components
- **busybox**: 1.37.0-r20
- **busybox-binsh**: 1.37.0-r20
- **ssl_client**: 1.37.0-r20
#### Vulnerability Description
CVE-2025-60876 affects multiple busybox utilities in Alpine Linux 3.21. As of 2026-01-11, no patch is available from Alpine Security Team.
#### Risk Assessment
**Exploitability**: Low
- Requires local shell access or specific network conditions
- Not directly exposed through application APIs
- Container isolation limits attack surface
**Impact**: Limited
- busybox provides minimal shell utilities used for healthchecks and diagnostics
- ssl_client used internally by Alpine package manager
- No direct user input processing through these utilities
**Mitigation Strategies**:
1. **Container Isolation**: Running in containerized environment limits local access
2. **Network Policies**: Ingress/egress rules restrict network-based exploitation
3. **Non-Privileged Container**: Runs as non-root user (caddy user)
4. **Read-Only Filesystem**: Application code and binaries mounted read-only where possible
#### Monitoring Plan
- **Frequency**: Daily checks of Alpine Security advisories
- **Source**: <https://security.alpinelinux.org/vuln>
- **Alert Trigger**: Patch release for CVE-2025-60876
- **Action**: Rebuild Docker image with updated Alpine base
#### Remediation Timeline
- **Expected Upstream Fix**: TBD (monitoring Alpine Security Team)
- **Automatic Remediation**: Will be included in next Docker rebuild after Alpine patch
- **Review Date**: 2026-02-11 (30 days) or upon patch release, whichever is sooner
---
### CVE-2025-10966 (curl/libcurl)
**Status**: ⚠️ ACCEPTED - Pending Alpine Security Patch
**Date Accepted**: 2026-01-11
**Severity**: Medium
**CVSS**: TBD
#### Affected Components
- **curl**: 8.14.1-r2
- **libcurl**: 8.14.1-r2 (implicit)
#### Vulnerability Description
CVE-2025-10966 affects libcurl in Alpine Linux 3.21. As of 2026-01-11, no patch is available from Alpine Security Team.
#### Risk Assessment
**Exploitability**: Medium
- Requires network access and specific request patterns
- curl used only in healthcheck scripts and manual debugging
- Not exposed directly to user input
**Impact**: Limited
- curl invoked only for internal health monitoring
- No user-controlled URLs passed to curl
- Healthcheck scripts use hardcoded localhost endpoints
**Mitigation Strategies**:
1. **Limited Usage**: curl only used for internal healthchecks (`http://localhost:8080/api/v1/health`)
2. **No User Input**: All curl invocations use hardcoded, internal URLs
3. **Container Isolation**: Network policies restrict external access
4. **Alternative Available**: Application can fall back to TCP socket checks
#### Monitoring Plan
- **Frequency**: Daily checks of Alpine Security advisories
- **Source**: <https://security.alpinelinux.org/vuln>
- **Alert Trigger**: Patch release for CVE-2025-10966
- **Action**: Rebuild Docker image with updated Alpine base
#### Remediation Timeline
- **Expected Upstream Fix**: TBD (monitoring Alpine Security Team)
- **Automatic Remediation**: Will be included in next Docker rebuild after Alpine patch
- **Review Date**: 2026-02-11 (30 days) or upon patch release, whichever is sooner
---
## Review Schedule
### Quarterly Security Review
- **Next Review**: 2026-04-11
- **Scope**: Re-assess all accepted risks, evaluate alternative base images
- **Attendees**: Security team, DevOps, Engineering Director
### Monthly Monitoring
- **Frequency**: First Monday of each month
- **Scope**: Check Alpine and upstream security advisories
- **Action**: Update this document if status changes
### Continuous Monitoring
- **Automated**: GitHub Dependabot, Renovate Bot
- **Manual**: Daily check of Alpine security feed during active incident periods
---
## Escalation Criteria
Accepted risks will be escalated to immediate remediation if:
1. **Severity Upgrade**: CVE severity upgraded to High or Critical
2. **Active Exploitation**: Evidence of active exploitation in the wild
3. **CISA KEV**: Added to CISA Known Exploited Vulnerabilities catalog
4. **Proof of Concept**: Public PoC demonstrating exploitability in containers
5. **Compliance Requirement**: Regulatory or audit requirement to remediate
---
## Alternative Mitigation Considered
### Switch to Distroless Base Image
**Status**: Under Evaluation
**Timeline**: Q1 2026
**Pros**:
- Minimal attack surface (no shell, no package manager)
- Faster security patches from Google
- Smaller image size
**Cons**:
- Debugging challenges (no shell access)
- May require custom healthcheck mechanisms
- Migration effort required
**Decision**: Continue monitoring Alpine CVEs while evaluating distroless for Q1 2026.
---
## Approval
**Approved By**: Engineering Director
**Date**: 2026-01-11
**Review Scheduled**: 2026-02-11
**Rationale**: The assessed risk from these Medium-severity Alpine CVEs is acceptable given:
1. Low exploitability in containerized environment
2. No upstream patches available
3. Effective mitigation strategies in place
4. Active monitoring for patches
5. No critical or high-severity vulnerabilities present
---
## References
- [Alpine Linux Security](https://security.alpinelinux.org/)
- [CVE-2025-60876 Details](https://nvd.nist.gov/vuln/detail/CVE-2025-60876) (pending NVD update)
- [CVE-2025-10966 Details](https://nvd.nist.gov/vuln/detail/CVE-2025-10966) (pending NVD update)
- [Supply Chain Remediation Plan](./supply-chain-no-cache-solution.md)
- [NIST SP 800-53: Security Controls](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)