From 0bc9ff5668e2ebea75822dcf59ec919c460bb69c Mon Sep 17 00:00:00 2001
From: strtgbb <146047128+strtgbb@users.noreply.github.com>
Date: Thu, 18 Jun 2026 13:08:31 -0400
Subject: [PATCH] Merge pull request #1921 from
 Altinity/ubuntu-libssl3-stable-26.3

Stable-26.3: Upgrade libssl3 in Ubuntu server Docker image
---
 docker/server/Dockerfile.ubuntu | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docker/server/Dockerfile.ubuntu b/docker/server/Dockerfile.ubuntu
index 911389e4e64f..ed2ca108bdab 100644
--- a/docker/server/Dockerfile.ubuntu
+++ b/docker/server/Dockerfile.ubuntu
@@ -8,6 +8,7 @@ ARG DEBIAN_FRONTEND=noninteractive
 ARG apt_archive="http://archive.ubuntu.com"
 
 # We shouldn't use `apt upgrade` to not change the upstream image. It's updated biweekly
+# Exception: targeted --only-upgrade for libssl3 to address CVE without a general upgrade.
 
 # user/group precreated explicitly with fixed uid/gid on purpose.
 # It is especially important for rootless containers: in that case entrypoint
@@ -27,6 +28,7 @@ RUN sed -i "s|http://archive.ubuntu.com|${apt_archive}|g" /etc/apt/sources.list
         tzdata \
         wget \
         gpgv \
+    && apt-get install --yes --only-upgrade libssl3 \
     && busybox --install -s \
     && rm -rf /var/lib/apt/lists/* /var/cache/debconf /tmp/*