Skip to content

dokku

v0.38.2 Security

This release includes 4 security fixes for security teams reviewing exposed deployments.

Published 24d Deployment Automation
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 4 known CVEs

Topics

buildpack containers devops docker dokku heroku
+4 more
kubernetes nomad paas self-hosted

Summary

AI summary

Restrict app names and harden archive extraction against symlink traversal.

Full changelog

Install/update via the bootstrap script:

wget -NP . https://dokku.com/install/v0.38.2/bootstrap.sh
sudo DOKKU_TAG=v0.38.2 bash bootstrap.sh

Security

  • #8590: @josegonzalez Restrict app names to prevent command injection
  • #8591: @josegonzalez Harden archive extraction against symlink traversal
  • #8589: @josegonzalez Enforce 0600 permissions on .netrc credentials file
  • #8588: @josegonzalez Sanitize openresty include filenames to prevent eval injection

Bug Fixes

  • #8593: @josegonzalez Gate ssl_reject_handshake behind nginx 1.19.4
  • #8578: @josegonzalez Reference SOURCECODE_WORK_DIR in builder core-post-extract

Documentation

  • #8592: @josegonzalez Add security section to release changelog
  • #8587: @vixalien Correct buildkit builder code block syntax
  • #8580: @othercorey Set issue type in bug report template

Dependencies

  • #8579: @josegonzalez Use type prefix for dokku-bot dependency label

Tests

  • #8586: @josegonzalez Count assert_output_contains matches as fixed strings
  • #8581: @dependabot[bot] chore(deps): bump golang from 1.26.2 to 1.26.3 in /tests/apps/go-fail-predeploy
  • #8582: @dependabot[bot] chore(deps): bump golang from 1.26.2 to 1.26.3 in /tests/apps/gogrpc
  • #8584: @dependabot[bot] chore(deps): bump golang from 1.26.2 to 1.26.3 in /tests/apps/go-fail-postdeploy
  • #8583: @dependabot[bot] chore(deps): bump golang from 1.26.2 to 1.26.3 in /tests/apps/zombies-dockerfile-tini
  • #8585: @dependabot[bot] chore(deps): bump golang from 1.26.2 to 1.26.3 in /tests/apps/zombies-dockerfile-no-tini
  • #8574: @dependabot[bot] chore(deps): bump node from 25-alpine to 26-alpine in /tests/apps/dockerfile-noexpose
  • #8575: @dependabot[bot] chore(deps): bump node from 25-alpine to 26-alpine in /tests/apps/dockerfile-procfile-bad
  • #8577: @dependabot[bot] chore(deps): bump node from 25-alpine to 26-alpine in /tests/apps/dockerfile-app-json-formations
  • #8576: @dependabot[bot] chore(deps): bump node from 25-alpine to 26-alpine in /tests/apps/dockerfile
  • #8573: @dependabot[bot] chore(deps): bump node from 25-alpine to 26-alpine in /tests/apps/dockerfile-procfile

Security Fixes

  • #8590: Restrict app names to prevent command injection
  • #8591: Harden archive extraction against symlink traversal
  • #8589: Enforce 0600 permissions on .netrc credentials file
  • #8588: Sanitize openresty include filenames to prevent eval injection
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track dokku

Get notified when new releases ship.

Sign up free

About dokku

A docker-powered PaaS that helps you build and manage the lifecycle of applications

All releases →

Related context

Beta — feedback welcome: [email protected]