Two-character Dockerfile change (#127): python:3.12-slim → python:3.12-slim-trixie.
Expected to close ~11-13 of the 13 open Critical+High Trivy findings on the main branch image — all of them base-image OS CVEs (gnutls, libssh2, ncurses, systemd, libcap) fixed in trixie's package versions but not backported to bookworm.
What changed under the hood
| Component | bookworm (v2.4.6) | trixie (v2.4.7) |
|---|---|---|
| Debian | 12 | 13 (stable since June 2025) |
| glibc | 2.36 | 2.40 (forward-compat, no wheel rebuild needed) |
| OpenSSL system | 3.0.x | 3.4.x (irrelevant — cryptography bundles its own)
|
| gnutls | 3.7.9 | 3.8.7 — closes #253 (Critical), #254, #255, #256, #257 |
| ncurses | 6.4 | 6.5 — closes #182, #193, #200, #201 |
| systemd | 252 | 256+ — closes #190, #194 |
| libcap | 2.66 | 2.68+ — closes #178 |
| libssh2 | 1.10.0 | 1.11.x — probably closes #274 |
What's NOT touched
- No application code changed
- No
requirements.txtupdates (all 14 DNS plugins + certbot + cryptography + cloudflare + boto3 + azure-* + flask install cleanly on trixie, verified locally) - No behavior change in the running app
- Same Python 3.12 interpreter
- No CI/Dockerfile structural changes — just the FROM line on both stages
Verified
- ✅ Local single-arch amd64 docker build: pip wheels install cleanly on trixie
- ✅ CI multi-arch build (linux/amd64 + linux/arm64): pass
- ✅ CI full e2e test (3.12) suite: pass
- ⏳ Trivy scan delta on main image: appears in next nightly scan
Full diff: v2.4.6...v2.4.7