From d88eb7df575c81e0a3ffc91625fa0ccd925ffdb3 Mon Sep 17 00:00:00 2001
From: liquibot <liquibot@liquibase.com>
Date: Tue, 12 May 2026 17:03:20 -0500
Subject: [PATCH] =?UTF-8?q?fix:=20bump=20LPM=5FVERSION=200.3.3=20=E2=86=92?=
 =?UTF-8?q?=200.3.4=20to=20clear=205=20Go=20stdlib=20HIGH=20CVEs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

QA vulnerability scans on the docker images (e.g. liquibase/docker run
25763704364) flagged 5 HIGH-severity Go stdlib CVEs in the lpm binary:

  CVE-2026-33811  (cgo DNS LookupCNAME)
  CVE-2026-33814  (HTTP/2 SETTINGS frames)
  CVE-2026-39820  (mail ParseAddress / ParseAddressList)
  CVE-2026-39836  (Dial / LookupPort NUL byte panic)
  CVE-2026-42499  (consumePhrase DoS)

All five are fixed in Go 1.25.10 / 1.26.3. lpm v0.3.3 was built with
Go 1.25.9 and is vulnerable; liquibase-package-manager#619 bumped the
toolchain to 1.25.10 on main, and v0.3.4 (released 2026-05-12 21:59Z)
is the first tag that picks it up.

Bumps LPM_VERSION 0.3.3 → 0.3.4 and the corresponding SHA256/SHA256_ARM
checksums in all three Dockerfiles. Checksums sourced from the official
checksums.txt asset on the v0.3.4 release.

References:
- liquibase-package-manager#619 (Go 1.25.10 bump)
- liquibase-package-manager v0.3.4: https://github.com/liquibase/liquibase-package-manager/releases/tag/v0.3.4
---
 Dockerfile        | 6 +++---
 Dockerfile.alpine | 6 +++---
 DockerfileSecure  | 6 +++---
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index ef17422f..3536ce53 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -21,9 +21,9 @@ RUN wget -q -O liquibase-${LIQUIBASE_VERSION}.tar.gz "https://package.liquibase.
     ln -s /liquibase/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh && \
     liquibase --version
     
-ARG LPM_VERSION=0.3.3
-ARG LPM_SHA256=07756491e640be2d7eb9a24a9342e77c13829be1ce3658b00eca4a38fee1ef4b
-ARG LPM_SHA256_ARM=68a8f9bad54ed81861fc2aa2297194cc8ffd9d57c8ceb8fa98beb207e5df9b96
+ARG LPM_VERSION=0.3.4
+ARG LPM_SHA256=b57165a49951e359e782e6f92777ca4b5d152f711a627f1b8dc287dbf661a064
+ARG LPM_SHA256_ARM=6370065118cf306a4b0d0518989c1ae738e600d55f03ceb4f4e005a7080d03aa
     
 # Add metadata labels
 LABEL org.opencontainers.image.description="Liquibase Container Image"
diff --git a/Dockerfile.alpine b/Dockerfile.alpine
index 4eb5ff76..d12a7a1f 100644
--- a/Dockerfile.alpine
+++ b/Dockerfile.alpine
@@ -27,9 +27,9 @@ RUN set -x && \
     ln -s /liquibase/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh && \
     liquibase --version
     
-ARG LPM_VERSION=0.3.3
-ARG LPM_SHA256=07756491e640be2d7eb9a24a9342e77c13829be1ce3658b00eca4a38fee1ef4b
-ARG LPM_SHA256_ARM=68a8f9bad54ed81861fc2aa2297194cc8ffd9d57c8ceb8fa98beb207e5df9b96
+ARG LPM_VERSION=0.3.4
+ARG LPM_SHA256=b57165a49951e359e782e6f92777ca4b5d152f711a627f1b8dc287dbf661a064
+ARG LPM_SHA256_ARM=6370065118cf306a4b0d0518989c1ae738e600d55f03ceb4f4e005a7080d03aa
 
 # Add metadata labels
 LABEL org.opencontainers.image.description="Liquibase Container Image (Alpine)"
diff --git a/DockerfileSecure b/DockerfileSecure
index db890584..a384b2cc 100644
--- a/DockerfileSecure
+++ b/DockerfileSecure
@@ -32,9 +32,9 @@ RUN wget -q -O liquibase-secure-${LIQUIBASE_SECURE_VERSION}.tar.gz "https://repo
     ln -s /liquibase/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh && \
     liquibase --version
     
-ARG LPM_VERSION=0.3.3
-ARG LPM_SHA256=07756491e640be2d7eb9a24a9342e77c13829be1ce3658b00eca4a38fee1ef4b
-ARG LPM_SHA256_ARM=68a8f9bad54ed81861fc2aa2297194cc8ffd9d57c8ceb8fa98beb207e5df9b96
+ARG LPM_VERSION=0.3.4
+ARG LPM_SHA256=b57165a49951e359e782e6f92777ca4b5d152f711a627f1b8dc287dbf661a064
+ARG LPM_SHA256_ARM=6370065118cf306a4b0d0518989c1ae738e600d55f03ceb4f4e005a7080d03aa
 
 # Download and Install lpm
 RUN apt-get update && \