MRs: * https://gitlab.com/gitlab-org/ci-cd/docker-machine/-/merge_requests/162+ * https://gitlab.com/gitlab-org/ci-cd/runner-tools/base-images/-/merge_requests/106+ * https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/6541+ Hi GitLab team, We recently ran a vulnerability scan (using Trivy) on the latest GitLab Runner Docker images: - `registry.gitlab.com/gitlab-org/gitlab-runner:v18.9.0` - `registry.gitlab.com/gitlab-org/gitlab-runner:alpine-v18.9.0` - `registry.gitlab.com/gitlab-org/gitlab-runner:ubuntu-v18.9.0` The scan detected a **critical vulnerability** in the bundled `docker-machine` binary: | Library | Vulnerability | Severity | Installed Version | Fixed Version | Title | |---------|---------------|----------|-------------------|---------------|-------| | stdlib | CVE-2025-68121 | CRITICAL | v1.24.11 | 1.24.13, 1.25.7, 1.26.0-rc.3 | crypto/tls: Unexpected session resumption in crypto/tls ([link](https://avd.aquasec.com/nvd/cve-2025-68121)) | Additional notes: - The base OS images (Ubuntu 24.04, Alpine 3.23) are reported as clean. - The main `gitlab-runner` binary is also clean. - Only the `docker-machine` binary is affected. Would it be possible to rebuild the `docker-machine` binary in future runner releases using a patched Go version? Thank you very much for your attention and support.