fix(docker): upgrade to Debian Trixie to remediate CVE-2023-45853

[whitehat101]

Check List

• Tests have been run in packages where changes have been made if available
• Linter has been run for changed code
• Tests for the changes have been added if not covered yet
• Docs have been added / updated if required

Issue Reference this PR resolves

#7499
#9977 (also patches other CVEs in addition to CVE-2023-45853)

Summary

Upgrades all Dockerfile base images from Debian 12 (Bookworm) to Debian 13 (Trixie) to remediate CVE-2023-45853, a heap-based buffer overflow in MiniZip bundled within zlib. This PR also updates Python 3.11 to 3.13 and OpenJDK 17 to 21 to match Debian Trixie's available packages.

---

Files Changed

CI workflows (.github/workflows/)

master.yml - Updated Python version for PyO3:

• PYO3_PYTHON: python3.11 → python3.13
• Artifact names: native-linux-x64-glibc-3.11.node → native-linux-x64-glibc-3.13.node

Application images (packages/cubejs-docker/)

Five Dockerfiles updated with identical changes:

• dev.Dockerfile
• latest.Dockerfile (no JDK dependency)
• latest-debian-jdk.Dockerfile
• local.Dockerfile (no JDK dependency)
• testing-drivers.Dockerfile

Changes:

1. Base image: node:22.22.0-bookworm-slim → node:22.22.0-trixie-slim
2. Python: python3.11 / libpython3.11-dev → python3.13 / libpython3.13-dev
3. OpenJDK: openjdk-17-jdk-headless / openjdk-17-jre-headless → openjdk-21-jdk-headless / openjdk-21-jre-headless (where applicable)

Note: Debian Trixie ships Python 3.13 and OpenJDK 21 as defaults. Earlier versions are not available in official repositories.

---

CubeStore images (rust/cubestore/)

Dockerfile - Runtime stage only:

• debian:bookworm-slim → debian:trixie-slim
• Builder stage (cubejs/rust-builder:bookworm-llvm-18) intentionally unchanged until new builder image is published

builder.Dockerfile - Security improvements and Trixie migration:

• Default RUST_TAG: bookworm-slim → trixie-slim (via 1-slim-trixie)
• Default OS_NAME: bookworm → trixie
• Security: Removed external apt.llvm.org source (LLVM 18 now in Trixie main repos)
• Security: Removed deprecated apt-key add command
• Security: Removed software-properties-common, wget, gnupg, apt-transport-https (no longer needed)
• Simplified package installation to use only Debian's official repositories

docker-bake.hcl - Added new target:

• New rust-builder-trixie target for cubejs/rust-builder:trixie-llvm-18
• Existing bookworm and bullseye targets preserved

---

Security Improvements

CVE-2023-45853 Remediation

• Before: zlib 1.2.13 (CVSS 9.8 CRITICAL vulnerability)
• After: zlib 1.3.1 (patched)
• Impact: Eliminates heap-based buffer overflow risk in MiniZip

Builder Image Hardening

• Removed external apt source: apt.llvm.org no longer needed (LLVM 18 in Debian Trixie)
• Removed deprecated command: apt-key add (security risk)
• Reduced attack surface: Fewer packages installed (removed software-properties-common, wget, gnupg)
• Supply chain security: Uses only official Debian repositories

Extended Support

• Debian Trixie EOL: 2030-06 (vs Bookworm EOL: 2028-06)
• Python 3.13: Current stable release with security updates
• OpenJDK 21: Current LTS release (vs OpenJDK 17)

---

Breaking Changes

Python Version

• Old: Python 3.11
• New: Python 3.13
• Impact: PyO3 native bindings (cubejs-backend-native) require testing
• Mitigation: CI workflow updated; validation recommended before deployment

Java Version (JDK images only)

• Old: OpenJDK 17
• New: OpenJDK 21
• Impact: JDBC drivers and Java-based connectors
• Mitigation: OpenJDK 21 is backward compatible; minimal risk expected

---

Deferred Work

The following require follow-up after this PR merges:

1. Publish cubejs/rust-builder:trixie-llvm-18

Build and push the new builder image using the updated builder.Dockerfile:

cd rust/cubestore
docker buildx bake rust-builder-trixie --push

The builder now uses only Debian's official repositories and requires no external apt sources.

2. Update CubeStore Dockerfile builder stage

After publishing the new builder image:

# Change from:
FROM cubejs/rust-builder:bookworm-llvm-18 AS builder
# To:
FROM cubejs/rust-builder:trixie-llvm-18 AS builder

This completes the CVE remediation for all stages (currently only runtime is fixed).

3. Update CI workflow

.github/workflows/rust-cubestore.yml - Update container image:

container:
  image: cubejs/rust-builder:trixie-llvm-18  # was bookworm-llvm-18

---

References

• CVE-2023-45853: https://nvd.nist.gov/vuln/detail/CVE-2023-45853
• zlib Fix: minizip: Check length of comment, filename, and extra field, in zipOpenNewFileInZip4_64 madler/zlib#843
• Debian Security: https://security-tracker.debian.org/tracker/CVE-2023-45853
• Debian Trixie Release: Current stable distribution stable (August 9th 2025)
• Python 3.13 Release: https://docs.python.org/3/whatsnew/3.13.html
• OpenJDK 21: https://openjdk.org/projects/jdk/21/