Rebuild Request: `python:3.10-alpine` — CVE-2026-23949 & CVE-2026-24049 (HIGH/CRITICAL)

[tpickle-py]

Rebuild Request: python:3.10-alpine — CVE-2026-23949 & CVE-2026-24049 (HIGH/CRITICAL)

Summary

The current python:3.10-alpine image ships with outdated versions of jaraco.context and wheel that contain known, fixed vulnerabilities. A rebuild is needed to pick up the patched versions.

Both CVEs have fixed versions available and this should be resolved by a simple image rebuild.

---

Affected Image

python:3.10-alpine

---

Vulnerabilities

Library	CVE	Severity	Installed Version	Fixed Version	Description
jaraco.context	CVE-2026-23949	HIGH	5.3.0	6.1.0	Path traversal via malicious tar archives
wheel	CVE-2026-24049	HIGH	0.45.1	0.46.2	Privilege escalation or arbitrary code execution via malicious wheel file

References:

• https://avd.aquasec.com/nvd/cve-2026-23949
• https://avd.aquasec.com/nvd/cve-2026-24049

---

Impact

These vulnerabilities are being flagged as Critical by JFrog Xray, blocking our CI/CD pipeline builds. The fixes are already available upstream — this requires only an image rebuild to pull in the updated package versions.

---

[yosifkit]

According to the description of CVE-2026-23949, jaraco.context is vendored in setuptools. Unfortunately, we have pinned the setuptools and wheel versions in order to prevent breaking changes, so a rebuild won't change the versions of these packages:

python/3.10/alpine3.23/Dockerfile

Lines 125 to 127 in 719683e

	'setuptools==79.0.1' \
	# https://github.com/docker-library/python/issues/1023
	'wheel<0.46' \

See also #1023

Users who need an updated wheel or setuptools and are susceptible to these CVEs can update them before installing/updating any other python packages.