## FraiseQL Security Patch Rollout: Critical CVE Fixes for util-linux, ncurses, and shadow-utils Deployed
A critical security patch cycle has been completed, neutralizing three high-risk vulnerabilities within the FraiseQL infrastructure. The fixes address CVE-2025-14104, a heap buffer overread in util-linux; CVE-2025-6141, a stack buffer overflow in ncurses; and CVE-2024-56433, a subordinate ID configuration flaw in shadow-utils. These patches are now live in the latest base images, marking a significant reduction in the project's attack surface. However, one vulnerability—CVE-2025-9820, a TLS flaw in GnuTLS—remains unfixed, leaving a known exposure that requires continued monitoring.

The remediation effort was executed through a mandatory update protocol. The immediate actions required pulling the patched `python:3.13-slim` base image, rebuilding all FraiseQL container images, and verifying the fixes with Trivy vulnerability scans. The process mandates the removal of the now-fixed CVEs from the `.trivyignore` file to ensure ongoing detection. This operation is governed by a strict internal Service Level Agreement (SLA), which demands full deployment of the updated images within a seven-day window from the report date of April 6, 2026.

This patch cycle underscores the persistent pressure on development and DevOps teams to maintain a rapid response cadence for security flaws. The existence of an unfixed GnuTLS vulnerability highlights the dependency risks and patch lag inherent in complex software supply chains. Failure to adhere to the deployment SLA could reintroduce the patched risks or leave systems exposed to the remaining TLS vulnerability, emphasizing that patch management is a continuous and critical operational discipline.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE, Security Patches, DevOps, Container Security, Vulnerability Management
- **Credibility**: unverified
- **Published**: 2026-04-16 07:22:38
- **ID**: 67025
- **URL**: https://whisperx.ai/en/intel/67025