TECHOPS-427: bump LPM_VERSION 0.3.3 → 0.3.4 to clear 5 Go stdlib HIGH CVEs

[sayaliM0412]

Summary

Bumps LPM_VERSION from 0.3.3 to 0.3.4 (and the corresponding SHA256/SHA256_ARM checksums) in all three Dockerfiles to pick up the Go 1.25.10 stdlib patches.

QA vulnerability scans on the docker images (most recent: liquibase/docker run 25763704364) flagged 5 HIGH-severity Go stdlib CVEs in the bundled lpm binary. All are fixed in Go 1.25.10 / 1.26.3:

CVE	Issue
CVE-2026-33811	cgo DNS LookupCNAME
CVE-2026-33814	HTTP/2 SETTINGS frames
CVE-2026-39820	mail ParseAddress / ParseAddressList
CVE-2026-39836	Dial / LookupPort NUL byte panic
CVE-2026-42499	consumePhrase DoS

liquibase-package-manager#619 bumped the toolchain to Go 1.25.10 on main, and v0.3.4 (released 2026-05-12 21:59Z) is the first tag that picks it up. v0.3.3 was built with Go 1.25.9 and is the version currently baked into all three of our images.

Checksum provenance

Pulled directly from the v0.3.4 checksums.txt asset:

b57165a49951e359e782e6f92777ca4b5d152f711a627f1b8dc287dbf661a064  lpm-0.3.4-linux.zip
6370065118cf306a4b0d0518989c1ae738e600d55f03ceb4f4e005a7080d03aa  lpm-0.3.4-linux-arm64.zip

Test plan

• Trigger build-qa-docker.yml with buildTargets="All (Community + Alpine + Secure)" after merge and confirm the three vulnerability-scan jobs no longer flag CVE-2026-33811/33814/39820/39836/42499.
• Verify lpm --version reports 0.3.4 from a built image.
• Confirm both amd64 and arm64 SHA256 checks pass (the build will exit non-zero if either checksum mismatches).

Notes

The CVE-2022-0839 finding on org.liquibase:liquibase-core (the other scan failure) is a separate false-positive on SNAPSHOT version labels and is tracked separately — not addressed here.

[coderabbitai]

Warning

Rate limit exceeded

@sayaliM0412 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 44 minutes and 13 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 65796788-6d3f-40bc-9a53-48420cc1ccd4

📥 Commits

Reviewing files that changed from the base of the PR and between 9d5c6f3 and d88eb7d.

📒 Files selected for processing (3)

• Dockerfile
• Dockerfile.alpine
• DockerfileSecure

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/bump-lpm-0.3.4

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Claude finished @sayaliM0412's task in 20s —— View job

---

Code Review

✅ Changes verified and approved

• Consistency: Version and checksums updated identically across all three Dockerfiles (Community, Alpine, Secure)
• Checksums: Both amd64 and arm64 SHA256 hashes match the official v0.3.4 release checksums.txt
• Scope: Minimal change (3 lines per file) targeting the LPM_VERSION bump needed to resolve 5 HIGH CVEs in Go stdlib
• No issues found: The version, checksums, and file placements are all correct

The PR is ready to merge once CI/QA validation confirms the CVE scans pass.

---