Skip to content

build: bump OpenSSL from 3.6.1 to 3.6.2 in all builder images#23215

Merged
Kyle-Neale merged 3 commits intomasterfrom
fix/vuln-59288-bump-openssl-3.6.2-clean
Apr 23, 2026
Merged

build: bump OpenSSL from 3.6.1 to 3.6.2 in all builder images#23215
Kyle-Neale merged 3 commits intomasterfrom
fix/vuln-59288-bump-openssl-3.6.2-clean

Conversation

@Kyle-Neale
Copy link
Copy Markdown
Contributor

@Kyle-Neale Kyle-Neale commented Apr 7, 2026

What does this PR do?

Bumps OpenSSL from 3.6.1 to 3.6.2 in all four builder images:

  • .builders/images/linux-x86_64/Dockerfile
  • .builders/images/linux-aarch64/Dockerfile
  • .builders/images/windows-x86_64/Dockerfile
  • .builders/images/macos/builder_setup.sh

Motivation

Addresses VULN-59288. OpenSSL 3.6.2 was released on 2026-04-07 with security fixes.

@Kyle-Neale Kyle-Neale force-pushed the fix/vuln-59288-bump-openssl-3.6.2-clean branch from c110dc6 to ab481a5 Compare April 17, 2026 17:55
@Kyle-Neale Kyle-Neale marked this pull request as ready for review April 17, 2026 18:58
@Kyle-Neale Kyle-Neale requested review from a team as code owners April 17, 2026 18:58
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 17, 2026
edited
Loading

⚠️ Recommendation: Add qa/skip-qa label

This PR does not modify any files shipped with the agent.

To help streamline the release process, please consider adding the qa/skip-qa label if these changes do not require QA testing.

rdesgroppes
rdesgroppes previously approved these changes Apr 17, 2026
View reviewed changes
@temporal-github-worker-1 temporal-github-worker-1 Bot dismissed rdesgroppes’s stale review April 18, 2026 00:18

Review from rdesgroppes is dismissed. Related teams and files:

  • agent-build
    • .deps/image_digests.json
    • .deps/resolved/linux-aarch64_3.13.txt
    • .deps/resolved/linux-x86_64_3.13.txt
    • .deps/resolved/macos-aarch64_3.13.txt
    • .deps/resolved/macos-x86_64_3.13.txt
    • .deps/resolved/windows-x86_64_3.13.txt
@Kyle-Neale Kyle-Neale force-pushed the fix/vuln-59288-bump-openssl-3.6.2-clean branch from 8592609 to ab481a5 Compare April 21, 2026 13:07
aiuto
aiuto previously approved these changes Apr 21, 2026
View reviewed changes
@temporal-github-worker-1 temporal-github-worker-1 Bot dismissed aiuto’s stale review April 21, 2026 15:39

Review from aiuto is dismissed. Related teams and files:

  • agent-build
    • .deps/builder_inputs.toml
    • .deps/image_digests.json
    • .deps/resolved/linux-aarch64_3.13.txt
    • .deps/resolved/linux-x86_64_3.13.txt
    • .deps/resolved/macos-aarch64_3.13.txt
    • .deps/resolved/macos-x86_64_3.13.txt
    • .deps/resolved/windows-x86_64_3.13.txt
@dd-octo-sts
Copy link
Copy Markdown
Contributor

dd-octo-sts Bot commented Apr 21, 2026

Validation Report

All 20 validations passed.

Show details
Validation Description Status
agent-reqs Verify check versions match the Agent requirements file
ci Validate CI configuration and Codecov settings
codeowners Validate every integration has a CODEOWNERS entry
config Validate default configuration files against spec.yaml
dep Verify dependency pins are consistent and Agent-compatible
http Validate integrations use the HTTP wrapper correctly
imports Validate check imports do not use deprecated modules
integration-style Validate check code style conventions
jmx-metrics Validate JMX metrics definition files and config
labeler Validate PR labeler config matches integration directories
legacy-signature Validate no integration uses the legacy Agent check signature
license-headers Validate Python files have proper license headers
licenses Validate third-party license attribution list
metadata Validate metadata.csv metric definitions
models Validate configuration data models match spec.yaml
openmetrics Validate OpenMetrics integrations disable the metric limit
package Validate Python package metadata and naming
readmes Validate README files have required sections
saved-views Validate saved view JSON file structure and fields
version Validate version consistency between package and changelog

View full run

@aiuto
Copy link
Copy Markdown

aiuto commented Apr 21, 2026

Every time we approve, temporal invalidates it.

@Kyle-Neale Kyle-Neale mentioned this pull request Apr 22, 2026
Merged
@Kyle-Neale Kyle-Neale added this pull request to the merge queue Apr 23, 2026
Merged via the queue into master with commit 2c390e4 Apr 23, 2026
27 of 29 checks passed
@Kyle-Neale Kyle-Neale deleted the fix/vuln-59288-bump-openssl-3.6.2-clean branch April 23, 2026 13:48
@dd-octo-sts dd-octo-sts Bot added this to the 7.79.0 milestone Apr 23, 2026
gh-worker-dd-mergequeue-cf854d Bot pushed a commit to DataDog/datadog-agent that referenced this pull request Apr 23, 2026
@Kyle-Neale
ci(windows): forward INTEGRATIONS_WHEELS_STORAGE to build container (#…
fac8ee3 
…49698)

## Summary
- Forward the `INTEGRATIONS_WHEELS_STORAGE` env var into the Windows MSI and FIPS-MSI build containers so upstream overrides (e.g. `dev`) actually reach omnibus.
- Fixes silent fallback to `release.json`'s default (`stable`) when an upstream pipeline wants a different wheel tier.

## Why
The Windows agent package build runs inside a Docker container, which only sees env vars explicitly forwarded via `docker run -e`. `INTEGRATIONS_CORE_VERSION` was already in the forward list, but `INTEGRATIONS_WHEELS_STORAGE` was not. When an upstream trigger (e.g. integrations-core's `.build-agent-tpl` in `.gitlab/build_agent.yaml`) sets `INTEGRATIONS_WHEELS_STORAGE: "dev"`, the GitLab runner has it but Docker strips it, and `tasks/libs/dependencies.py::get_effective_dependencies_env` falls through to `release.json`'s `"stable"`. pip then 404s on wheels that were only published to `dev/built/`.

macOS and Linux builds run directly on the runner host, so they inherit the job-level env natively — only Windows was affected.

### Context
Seen in pipeline [108825388](https://gitlab.ddbuild.io/DataDog/datadog-agent/-/pipelines/108825388/failures), where Windows base + FIPS MSI jobs failed with:

```
ERROR: HTTP error 404 while getting
https://agent-int-packages.datadoghq.com/stable/built/botocore/botocore-1.42.72-20260421152939-py3-none-any.whl
```

while the macOS and Linux jobs in the same pipeline succeeded because they correctly saw `INTEGRATIONS_WHEELS_STORAGE=dev`. Related motivating PR on integrations-core: [DataDog/integrations-core#23215](DataDog/integrations-core#23215) (VULN-59288 OpenSSL 3.6.2 bump).

Co-authored-by: kyle.neale <kyle.neale@datadoghq.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aiuto aiuto aiuto approved these changes

@steveny91 steveny91 steveny91 approved these changes

@rdesgroppes rdesgroppes rdesgroppes left review comments

Assignees

No one assigned

Labels

team/agent-build team/agent-integrations

Projects

None yet

Milestone

7.79.0

Development

Successfully merging this pull request may close these issues.

4 participants

@Kyle-Neale @aiuto @rdesgroppes @steveny91