From 20c84b0533b6758c83b1be93c1769762ddf30c51 Mon Sep 17 00:00:00 2001 From: Hendrik Leidinger Date: Mon, 8 Jun 2026 18:52:39 -0700 Subject: [PATCH 1/5] fix: nginx latest security fix crashes editors, reverting Signed-off-by: Hendrik Leidinger --- build/.docker/standalone.bake.Dockerfile | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/build/.docker/standalone.bake.Dockerfile b/build/.docker/standalone.bake.Dockerfile index 3e4b48e3d9..7b0000b2ee 100644 --- a/build/.docker/standalone.bake.Dockerfile +++ b/build/.docker/standalone.bake.Dockerfile @@ -26,6 +26,16 @@ ENV EO_CONF=${EO_CONF} ENV COMPANY_NAME_LOW=${COMPANY_NAME_LOW} ENV PRODUCT_NAME_LOW=${PRODUCT_NAME_LOW} + +#### Hotfix: nginx 1.24.0-2ubuntu7.10 broke editors, +#### switch back to 1.24.0-2ubuntu7.9 for now +ARG APT_SNAPSHOT=20260602T120000Z +RUN apt-get -y update && \ + apt-get -yq install ca-certificates && \ + sed -i '/^Suites:/a Snapshot: '"${APT_SNAPSHOT}" /etc/apt/sources.list.d/ubuntu.sources +#### Hotfix + + RUN apt-get -y update && \ ACCEPT_EULA=Y apt-get -yq install \ postgresql postgresql-client redis-server rabbitmq-server \ From 1996010ae5063a5c0e222597bce985012bcd2c19 Mon Sep 17 00:00:00 2001 From: dsyzov Date: Tue, 9 Jun 2026 15:03:05 +0000 Subject: [PATCH 2/5] fix: pin only nginx to snapshot version, not all apt packages The original broad snapshot pinning broke the .deb installation step because the DocumentServer package's dependencies could not be resolved against the frozen June 2 snapshot. Instead, install only nginx and nginx-extras from the snapshot, hold them to prevent upgrades, then remove the snapshot source so all other packages resolve from current repos. Co-Authored-By: Claude Sonnet 4.6 --- build/.docker/standalone.bake.Dockerfile | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/build/.docker/standalone.bake.Dockerfile b/build/.docker/standalone.bake.Dockerfile index 7b0000b2ee..da7626d5a1 100644 --- a/build/.docker/standalone.bake.Dockerfile +++ b/build/.docker/standalone.bake.Dockerfile @@ -27,17 +27,22 @@ ENV COMPANY_NAME_LOW=${COMPANY_NAME_LOW} ENV PRODUCT_NAME_LOW=${PRODUCT_NAME_LOW} -#### Hotfix: nginx 1.24.0-2ubuntu7.10 broke editors, -#### switch back to 1.24.0-2ubuntu7.9 for now +#### Hotfix: nginx 1.24.0-2ubuntu7.10 broke editors, +#### pin only nginx to 1.24.0-2ubuntu7.9 from the snapshot and hold it ARG APT_SNAPSHOT=20260602T120000Z RUN apt-get -y update && \ apt-get -yq install ca-certificates && \ - sed -i '/^Suites:/a Snapshot: '"${APT_SNAPSHOT}" /etc/apt/sources.list.d/ubuntu.sources -#### Hotfix + echo "deb http://snapshot.ubuntu.com/ubuntu/${APT_SNAPSHOT} noble main" \ + > /etc/apt/sources.list.d/snapshot.list && \ + apt-get -y update && \ + apt-get -yq install nginx=1.24.0-2ubuntu7.9 nginx-extras=1.24.0-2ubuntu7.9 && \ + apt-mark hold nginx nginx-extras && \ + rm /etc/apt/sources.list.d/snapshot.list && \ + apt-get -y update +#### End hotfix -RUN apt-get -y update && \ - ACCEPT_EULA=Y apt-get -yq install \ +RUN ACCEPT_EULA=Y apt-get -yq install \ postgresql postgresql-client redis-server rabbitmq-server \ nginx sudo gdb nginx-extras supervisor jq util-linux \ netcat-openbsd xxd openssl && \ From e352f3b5df2f223a97347857c21224fe6dc47690 Mon Sep 17 00:00:00 2001 From: dsyzov Date: Tue, 9 Jun 2026 15:13:30 +0000 Subject: [PATCH 3/5] fix: use DEB822 format snapshot source with all suites and components The previous .list file only covered noble/main, missing noble-updates (where the nginx update lives) and universe (needed for nginx-extras). Switch to DEB822 .sources format covering all suites and components, and add --allow-downgrades to handle any priority conflicts. Co-Authored-By: Claude Sonnet 4.6 --- build/.docker/standalone.bake.Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/build/.docker/standalone.bake.Dockerfile b/build/.docker/standalone.bake.Dockerfile index da7626d5a1..8b815a2a0f 100644 --- a/build/.docker/standalone.bake.Dockerfile +++ b/build/.docker/standalone.bake.Dockerfile @@ -32,12 +32,12 @@ ENV PRODUCT_NAME_LOW=${PRODUCT_NAME_LOW} ARG APT_SNAPSHOT=20260602T120000Z RUN apt-get -y update && \ apt-get -yq install ca-certificates && \ - echo "deb http://snapshot.ubuntu.com/ubuntu/${APT_SNAPSHOT} noble main" \ - > /etc/apt/sources.list.d/snapshot.list && \ + printf "Types: deb\nURIs: http://snapshot.ubuntu.com/ubuntu/%s\nSuites: noble noble-updates noble-security\nComponents: main universe restricted multiverse\n" "${APT_SNAPSHOT}" \ + > /etc/apt/sources.list.d/snapshot.sources && \ apt-get -y update && \ - apt-get -yq install nginx=1.24.0-2ubuntu7.9 nginx-extras=1.24.0-2ubuntu7.9 && \ + apt-get -yq install --allow-downgrades nginx=1.24.0-2ubuntu7.9 nginx-extras=1.24.0-2ubuntu7.9 && \ apt-mark hold nginx nginx-extras && \ - rm /etc/apt/sources.list.d/snapshot.list && \ + rm /etc/apt/sources.list.d/snapshot.sources && \ apt-get -y update #### End hotfix From 4684433bd3e4c0882f209259f226486d448e60d0 Mon Sep 17 00:00:00 2001 From: dsyzov Date: Tue, 9 Jun 2026 15:42:51 +0000 Subject: [PATCH 4/5] fix: use sed to temporarily apply snapshot only for nginx install Add the snapshot via sed to ubuntu.sources (Ubuntu's recommended method), install and hold the pinned nginx packages, then remove the Snapshot fields with a second sed pass so all subsequent apt operations use current repos. Co-Authored-By: Claude Sonnet 4.6 --- build/.docker/standalone.bake.Dockerfile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/build/.docker/standalone.bake.Dockerfile b/build/.docker/standalone.bake.Dockerfile index 8b815a2a0f..6d98ac1492 100644 --- a/build/.docker/standalone.bake.Dockerfile +++ b/build/.docker/standalone.bake.Dockerfile @@ -32,12 +32,11 @@ ENV PRODUCT_NAME_LOW=${PRODUCT_NAME_LOW} ARG APT_SNAPSHOT=20260602T120000Z RUN apt-get -y update && \ apt-get -yq install ca-certificates && \ - printf "Types: deb\nURIs: http://snapshot.ubuntu.com/ubuntu/%s\nSuites: noble noble-updates noble-security\nComponents: main universe restricted multiverse\n" "${APT_SNAPSHOT}" \ - > /etc/apt/sources.list.d/snapshot.sources && \ + sed -i '/^Suites:/a Snapshot: '"${APT_SNAPSHOT}" /etc/apt/sources.list.d/ubuntu.sources && \ apt-get -y update && \ apt-get -yq install --allow-downgrades nginx=1.24.0-2ubuntu7.9 nginx-extras=1.24.0-2ubuntu7.9 && \ apt-mark hold nginx nginx-extras && \ - rm /etc/apt/sources.list.d/snapshot.sources && \ + sed -i '/^Snapshot:/d' /etc/apt/sources.list.d/ubuntu.sources && \ apt-get -y update #### End hotfix From 9a9f5e102bb5e4199f0d65bd8d7c39377afd48ca Mon Sep 17 00:00:00 2001 From: dsyzov Date: Tue, 9 Jun 2026 16:11:35 +0000 Subject: [PATCH 5/5] fix: remove nginx/nginx-extras from main install (already held from snapshot) nginx and nginx-extras are already installed and held at 1.24.0-2ubuntu7.9 in the preceding step. Including them again in the main apt install causes a dependency conflict because libnginx-mod-* in current repos is at 7.10. Co-Authored-By: Claude Sonnet 4.6 --- build/.docker/standalone.bake.Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/.docker/standalone.bake.Dockerfile b/build/.docker/standalone.bake.Dockerfile index 6d98ac1492..39d449bda1 100644 --- a/build/.docker/standalone.bake.Dockerfile +++ b/build/.docker/standalone.bake.Dockerfile @@ -43,7 +43,7 @@ RUN apt-get -y update && \ RUN ACCEPT_EULA=Y apt-get -yq install \ postgresql postgresql-client redis-server rabbitmq-server \ - nginx sudo gdb nginx-extras supervisor jq util-linux \ + sudo gdb supervisor jq util-linux \ netcat-openbsd xxd openssl && \ rm -rf /var/lib/apt/lists/*