zot/2.1.13-r0: cve remediation #77697
Closed
Chainguard Internal / elastic-build
failed
Jan 15, 2026 in 3m 2s
Failed to build APKs
Build ID: 6e65d9e2-8476-4181-aea5-5c7e1613ea57
Error: failed to build zot: building group: pod failed: build failed
did not test because building group: pod failed: build failed
Details
builds
x86_64 Logs
Click to expand
parsed env
using enhanced syft sbom melange runner
configuring puller identity "720909c9f5279097d847ad02a2f24ba8f59de36a/a49c7fedc33adf69"...
running command chainctl [auth login --audience apk.cgr.dev --identity 720909c9f5279097d847ad02a2f24ba8f59de36a/a49c7fedc33adf69]
Successfully exchanged token.
Valid! Id: 720909c9f5279097d847ad02a2f24ba8f59de36a/a49c7fedc33adf69
Updates are available for chainctl (current version: 0.2.192; latest: 0.2.193). To install, please run:
$ chainctl update
command "chainctl" completed successfully
puller identity configured successfully
puller identity configured successfully
running build...
configuring enhanced Syft SBOM generation...
melange devel with runner qemu is building:
populating workspace /tmp/melange-workspace-1192422075 from zot
image configuration:
contents:
build repositories: [https://apk.cgr.dev/chainguard https://apk.cgr.dev/wolfi-presubmit/92ec972601b43476c564edb0171d9a181d61bf78]
runtime repositories: []
repositories: []
keyring: []
packages: [bash=5.3-r3 binutils=2.45.1-r2 build-base=1-r9 busybox=1.37.0-r50 ca-certificates-bundle=20251003-r2 curl=8.18.0-r0 cyrus-sasl=2.1.28-r45 gcc=15.2.0-r6 gdbm=1.26-r1 git=2.52.0-r1 glibc-dev=2.42-r5 glibc-locale-posix=2.42-r5 glibc=2.42-r5 gmp=6.3.0-r8 go-1.25=1.25.5-r0 gobump=0.9.3-r3 heimdal-libs=7.8.0-r42 isl=0.27-r4 keyutils-libs=1.6.3-r37 krb5-conf=1.0-r7 krb5-libs=1.22.1-r1 ld-linux=2.42-r5 libatomic=15.2.0-r6 libbrotlicommon1=1.2.0-r1 libbrotlidec1=1.2.0-r1 libcom_err=1.47.3-r1 libcrypt1=2.42-r5 libcrypto3=3.6.0-r6 libcurl-openssl4=8.18.0-r0 libexpat1=2.7.3-r0 libgcc=15.2.0-r6 libgomp=15.2.0-r6 libidn2=2.3.8-r3 libldap-2.6=2.6.10-r7 libnghttp2-14=1.68.0-r0 libpcre2-8-0=10.47-r0 libpsl=0.21.5-r6 libquadmath=15.2.0-r6 libssl3=3.6.0-r6 libstdc++-dev=15.2.0-r6 libstdc++=15.2.0-r6 libunistring=1.4.1-r1 libverto=0.3.2-r6 libxcrypt-dev=4.5.2-r0 libxcrypt=4.5.2-r0 libzstd1=1.5.7-r5 linux-headers=6.18.5-r0 make=4.4.1-r8 mpc=1.3.1-r7 mpfr=4.2.2-r2 ncurses-terminfo-base=6.6_p20251230-r0 ncurses=6.6_p20251230-r0 nghttp3=1.14.0-r0 nss-db=2.42-r5 nss-hesiod=2.42-r5 openssf-compiler-options=20250904-r2 pkgconf=2.5.1-r1 posix-cc-wrappers=2-r7 readline=8.3-r1 scanelf=1.3.10-r0 sqlite-libs=3.51.1-r0 wolfi-baselayout=20230201-r26 zlib=1.3.1.2-r1]
accounts:
runas:
users:
- uid=1000(build) gid=1000
groups:
- gid=1000(build) members=[build]
auth configured for: 0x223fa80
installing wolfi-baselayout (20230201-r26)
installing ca-certificates-bundle (20251003-r2)
installing glibc-locale-posix (2.42-r5)
installing libgcc (15.2.0-r6)
installing glibc (2.42-r5)
installing ld-linux (2.42-r5)
installing ncurses-terminfo-base (6.6_p20251230-r0)
installing ncurses (6.6_p20251230-r0)
installing bash (5.3-r3)
installing libstdc++ (15.2.0-r6)
installing libzstd1 (1.5.7-r5)
installing binutils (2.45.1-r2)
installing libxcrypt (4.5.2-r0)
installing libxcrypt-dev (4.5.2-r0)
installing linux-headers (6.18.5-r0)
installing nss-db (2.42-r5)
installing nss-hesiod (2.42-r5)
installing glibc-dev (2.42-r5)
installing libquadmath (15.2.0-r6)
installing libstdc++-dev (15.2.0-r6)
installing openssf-compiler-options (20250904-r2)
installing posix-cc-wrappers (2-r7)
installing libatomic (15.2.0-r6)
installing gmp (6.3.0-r8)
installing libgomp (15.2.0-r6)
installing isl (0.27-r4)
installing mpfr (4.2.2-r2)
installing mpc (1.3.1-r7)
installing zlib (1.3.1.2-r1)
installing gcc (15.2.0-r6)
installing make (4.4.1-r8)
installing pkgconf (2.5.1-r1)
installing build-base (1-r9)
installing libcrypt1 (2.42-r5)
installing busybox (1.37.0-r50)
installing libbrotlicommon1 (1.2.0-r1)
installing libbrotlidec1 (1.2.0-r1)
installing libcrypto3 (3.6.0-r6)
installing krb5-conf (1.0-r7)
installing libcom_err (1.47.3-r1)
installing keyutils-libs (1.6.3-r37)
installing libssl3 (3.6.0-r6)
installing libverto (0.3.2-r6)
installing krb5-libs (1.22.1-r1)
installing gdbm (1.26-r1)
installing readline (8.3-r1)
installing sqlite-libs (3.51.1-r0)
installing heimdal-libs (7.8.0-r42)
installing cyrus-sasl (2.1.28-r45)
installing libldap-2.6 (2.6.10-r7)
installing libnghttp2-14 (1.68.0-r0)
installing nghttp3 (1.14.0-r0)
installing libunistring (1.4.1-r1)
installing libidn2 (2.3.8-r3)
installing libpsl (0.21.5-r6)
installing libcurl-openssl4 (8.18.0-r0)
installing curl (8.18.0-r0)
installing libexpat1 (2.7.3-r0)
installing libpcre2-8-0 (10.47-r0)
installing git (2.52.0-r1)
installing go-1.25 (1.25.5-r0)
installing gobump (0.9.3-r3)
installing scanelf (1.3.10-r0)
qemu: generating ssh key pairs for ephemeral VM
qemu: generating SSH host key for VM
qemu: generating base initramfs
image configuration:
contents:
build repositories: [https://apk.cgr.dev/chainguard]
runtime repositories: []
repositories: []
keyring: []
packages: [microvm-init]
installing wolfi-baselayout (20230201-r26)
installing ca-certificates-bundle (20251003-r2)
installing libgcc (15.2.0-r6)
installing glibc-locale-posix (2.42-r5)
installing glibc (2.42-r5)
installing ld-linux (2.42-r5)
installing gnutar-rmt (1.35-r7)
installing gnutar (1.35-r7)
installing libattr1 (2.5.2-r54)
installing attr (2.5.2-r54)
installing zlib (1.3.1.2-r1)
installing libzstd1 (1.5.7-r5)
installing xz (5.8.2-r0)
installing libcrypto3 (3.6.0-r6)
installing kmod (34.2-r43)
installing libmnl (1.0.5-r6)
installing libbz2-1 (1.0.8-r21)
installing libelf (0.194-r0)
installing libbpf (1.6.2-r0)
installing libverto (0.3.2-r6)
installing krb5-conf (1.0-r7)
installing libcom_err (1.47.3-r1)
installing keyutils-libs (1.6.3-r37)
installing libssl3 (3.6.0-r6)
installing krb5-libs (1.22.1-r1)
installing libtirpc (1.3.7-r1)
installing libpcre2-8-0 (10.47-r0)
installing libsepol (3.9-r1)
installing libselinux (3.9-r1)
installing libnftnl (1.3.1-r0)
installing xtables (1.8.11-r32)
installing libcap (2.77-r1)
installing iproute2 (6.18.0-r0)
installing libstdc++ (15.2.0-r6)
installing inih (62-r1)
installing liburcu (0.15.5-r0)
installing libblkid (2.41.3-r0)
installing libuuid (2.41.3-r0)
installing xfsprogs-core (6.18.0-r0)
installing xfsprogs (6.18.0-r0)
installing libmount (2.41.3-r0)
installing mount (2.41.3-r0)
installing ncurses-terminfo-base (6.6_p20251230-r0)
installing ncurses (6.6_p20251230-r0)
installing setarch (2.41.3-r0)
installing libfdisk (2.41.3-r0)
installing sqlite-libs (3.51.1-r0)
installing util-linux (2.41.3-r0)
installing libsmartcols (2.41.3-r0)
installing util-linux-misc (2.41.3-r0)
installing libxcrypt (4.5.2-r0)
installing libcrypt1 (2.42-r5)
installing linux-pam (1.7.1-r4)
installing openssh-keygen (10.2_p1-r3)
installing openssh-server-config (10.2_p1-r3)
installing openssh-server (10.2_p1-r3)
installing busybox (1.37.0-r50)
installing microvm-init (0.0.1-r15)
aarch64 Logs
Click to expand
parsed env
using enhanced syft sbom melange runner
configuring puller identity "720909c9f5279097d847ad02a2f24ba8f59de36a/a49c7fedc33adf69"...
running command chainctl [auth login --audience apk.cgr.dev --identity 720909c9f5279097d847ad02a2f24ba8f59de36a/a49c7fedc33adf69]
Successfully exchanged token.
Valid! Id: 720909c9f5279097d847ad02a2f24ba8f59de36a/a49c7fedc33adf69
Updates are available for chainctl (current version: 0.2.192; latest: 0.2.193). To install, please run:
$ chainctl update
command "chainctl" completed successfully
puller identity configured successfully
puller identity configured successfully
running build...
configuring enhanced Syft SBOM generation...
melange devel with runner bubblewrap is building:
populating workspace /tmp/melange-workspace-1079103968 from zot
image configuration:
contents:
build repositories: [https://apk.cgr.dev/chainguard https://apk.cgr.dev/wolfi-presubmit/92ec972601b43476c564edb0171d9a181d61bf78]
runtime repositories: []
repositories: []
keyring: []
packages: [bash=5.3-r3 binutils=2.45.1-r2 build-base=1-r9 busybox=1.37.0-r50 ca-certificates-bundle=20251003-r2 curl=8.18.0-r0 cyrus-sasl=2.1.28-r45 gcc=15.2.0-r6 gdbm=1.26-r1 git=2.52.0-r1 glibc-dev=2.42-r5 glibc-locale-posix=2.42-r5 glibc=2.42-r5 gmp=6.3.0-r8 go-1.25=1.25.5-r0 gobump=0.9.3-r3 heimdal-libs=7.8.0-r42 isl=0.27-r4 keyutils-libs=1.6.3-r37 krb5-conf=1.0-r7 krb5-libs=1.22.1-r1 ld-linux=2.42-r5 libatomic=15.2.0-r6 libbrotlicommon1=1.2.0-r1 libbrotlidec1=1.2.0-r1 libcom_err=1.47.3-r1 libcrypt1=2.42-r5 libcrypto3=3.6.0-r6 libcurl-openssl4=8.18.0-r0 libexpat1=2.7.3-r0 libgcc=15.2.0-r6 libgomp=15.2.0-r6 libidn2=2.3.8-r3 libldap-2.6=2.6.10-r7 libnghttp2-14=1.68.0-r0 libpcre2-8-0=10.47-r0 libpsl=0.21.5-r6 libquadmath=15.2.0-r6 libssl3=3.6.0-r6 libstdc++-dev=15.2.0-r6 libstdc++=15.2.0-r6 libunistring=1.4.1-r1 libverto=0.3.2-r6 libxcrypt-dev=4.5.2-r0 libxcrypt=4.5.2-r0 libzstd1=1.5.7-r5 linux-headers=6.18.5-r0 make=4.4.1-r8 mpc=1.3.1-r7 mpfr=4.2.2-r2 ncurses-terminfo-base=6.6_p20251230-r0 ncurses=6.6_p20251230-r0 nghttp3=1.14.0-r0 nss-db=2.42-r5 nss-hesiod=2.42-r5 openssf-compiler-options=20250904-r2 pkgconf=2.5.1-r1 posix-cc-wrappers=2-r7 readline=8.3-r1 scanelf=1.3.10-r0 sqlite-libs=3.51.1-r0 wolfi-baselayout=20230201-r26 zlib=1.3.1.2-r1]
accounts:
runas:
users:
- uid=1000(build) gid=1000
groups:
- gid=1000(build) members=[build]
auth configured for: 0x19e7090
installing wolfi-baselayout (20230201-r26)
installing ca-certificates-bundle (20251003-r2)
installing glibc-locale-posix (2.42-r5)
installing libgcc (15.2.0-r6)
installing glibc (2.42-r5)
installing ld-linux (2.42-r5)
installing ncurses-terminfo-base (6.6_p20251230-r0)
installing ncurses (6.6_p20251230-r0)
installing bash (5.3-r3)
installing libstdc++ (15.2.0-r6)
installing libzstd1 (1.5.7-r5)
installing binutils (2.45.1-r2)
installing libxcrypt (4.5.2-r0)
installing libxcrypt-dev (4.5.2-r0)
installing linux-headers (6.18.5-r0)
installing nss-db (2.42-r5)
installing nss-hesiod (2.42-r5)
installing glibc-dev (2.42-r5)
installing libquadmath (15.2.0-r6)
installing libstdc++-dev (15.2.0-r6)
installing openssf-compiler-options (20250904-r2)
installing posix-cc-wrappers (2-r7)
installing libatomic (15.2.0-r6)
installing gmp (6.3.0-r8)
installing libgomp (15.2.0-r6)
installing isl (0.27-r4)
installing mpfr (4.2.2-r2)
installing mpc (1.3.1-r7)
installing zlib (1.3.1.2-r1)
installing gcc (15.2.0-r6)
installing make (4.4.1-r8)
installing pkgconf (2.5.1-r1)
installing build-base (1-r9)
installing libcrypt1 (2.42-r5)
installing busybox (1.37.0-r50)
installing libbrotlicommon1 (1.2.0-r1)
installing libbrotlidec1 (1.2.0-r1)
installing libcrypto3 (3.6.0-r6)
installing krb5-conf (1.0-r7)
installing libcom_err (1.47.3-r1)
installing keyutils-libs (1.6.3-r37)
installing libssl3 (3.6.0-r6)
installing libverto (0.3.2-r6)
installing krb5-libs (1.22.1-r1)
installing gdbm (1.26-r1)
installing readline (8.3-r1)
installing sqlite-libs (3.51.1-r0)
installing heimdal-libs (7.8.0-r42)
installing cyrus-sasl (2.1.28-r45)
installing libldap-2.6 (2.6.10-r7)
installing libnghttp2-14 (1.68.0-r0)
installing nghttp3 (1.14.0-r0)
installing libunistring (1.4.1-r1)
installing libidn2 (2.3.8-r3)
installing libpsl (0.21.5-r6)
installing libcurl-openssl4 (8.18.0-r0)
installing curl (8.18.0-r0)
installing libexpat1 (2.7.3-r0)
installing libpcre2-8-0 (10.47-r0)
installing git (2.52.0-r1)
installing go-1.25 (1.25.5-r0)
installing gobump (0.9.3-r3)
installing scanelf (1.3.10-r0)
running step "git-checkout"
[git checkout] repo='https://github.com/project-zot/zot' dest='.' depth='unset' branch='' tag='v2.1.13' expcommit='4ad3fad3bceb70c8ebd1669b0962c177353339b2' recurse='false' sparse_paths=''
[git checkout] execute: git config --global --add safe.directory /tmp/tmp.nvJFEL
[git checkout] execute: git config --global --add safe.directory /home/build
[git checkout] execute: git clone --quiet --origin=origin --config=user.name=Melange Build [email protected] --config=advice.detachedHead=false --branch=v2.1.13 --depth=1 https://github.com/project-zot/zot /tmp/tmp.nvJFEL
[git checkout] execute: cd /tmp/tmp.nvJFEL
[git checkout] tar -c . | tar -C "/home/build" -x
[git checkout] execute: cd /home/build
[git checkout] execute: git config --global --add safe.directory /home/build
[git checkout] execute: git fetch --quiet origin --depth=1 --no-tags +refs/tags/v2.1.13:refs/origin/tags/v2.1.13
[git checkout] execute: git checkout --quiet origin/tags/v2.1.13
[git checkout] tag v2.1.13 is 4ad3fad3bceb70c8ebd1669b0962c177353339b2
running step "go/bump"
2026/01/15 16:00:31 Running go mod tidy with go version '1.25.5' ...
2026/01/15 16:00:55 Update package: github.com/sigstore/timestamp-authority
2026/01/15 16:00:55 Running go mod edit -droprequire ...
2026/01/15 16:00:55 Running go get ...
Error: failed to run update. Error: failed to run 'go get': exit status 1 with output: go: github.com/sigstore/[email protected]: invalid version: go.mod has post-v2 module path "github.com/sigstore/timestamp-authority/v2" at revision v2.0.3
2026/01/15 16:00:57 failed to run update. Error: failed to run 'go get': exit status 1 with output: go: github.com/sigstore/[email protected]: invalid version: go.mod has post-v2 module path "github.com/sigstore/timestamp-authority/v2" at revision v2.0.3
failed to build: failed to build package: unable to run package zot pipeline: unable to run pipeline: unable to run pipeline: exit status 1
build failed: failed to build package: unable to run package zot pipeline: unable to run pipeline: unable to run pipeline: exit status 1
Indexes
https://apk.cgr.dev/wolfi-presubmit/92ec972601b43476c564edb0171d9a181d61bf78
❌ Failed Packages
- ❌ zot (error | 1m4s)
Packages
- ❌ zot (error | 1m4s | x86_64 logs | aarch64 logs)
More Observability
Command
cg build log \
--build-id 6e65d9e2-8476-4181-aea5-5c7e1613ea57 \
--project prod-wolfi-os \
--cluster elastic-pre-a \
--namespace pre-wolfi \
--start 2026-01-15T15:58:16Z \
--end 2026-01-15T16:11:19Z
Loading