fix: Migrate remaining Dockerfiles from bookworm to trixie (CVE-2026-42010) (#1575)

notgitika · web-flow · commit f00c399676fe · 2026-06-01T14:16:52.000-04:00
Replace all remaining bookworm-based images with Debian Trixie (stable) to address CVE-2026-42010 (GnuTLS RSA-PSK authentication bypass, CVSS 9.8) and align with the rest of the repository. Changes: - 4 Dockerfiles: python:3.13-slim-bookworm -> python:3.13-slim-trixie - 7 Dockerfiles: ghcr.io/astral-sh/uv:python3.13-bookworm-slim -> python:3.13-slim-trixie + COPY --from=ghcr.io/astral-sh/uv:latest Trixie (Debian 13) includes the GnuTLS fix (DLA-4595-1) and is now the current Debian stable release. Bookworm full support ends June 2026. sim: https://t.corp.amazon.com/D448133494
diff --git a/01-features/04-manage-context-of-your-agent/memory/03-integrations/01-runtime-integration/Dockerfile b/01-features/04-manage-context-of-your-agent/memory/03-integrations/01-runtime-integration/Dockerfile
@@ -1,4 +1,5 @@
-FROM ghcr.io/astral-sh/uv:python3.13-bookworm-slim
+FROM public.ecr.aws/docker/library/python:3.13-slim-trixie
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
 WORKDIR /app
 
 # All environment variables in one layer
diff --git a/01-features/04-manage-context-of-your-agent/memory/03-integrations/02-identity-integration/Dockerfile b/01-features/04-manage-context-of-your-agent/memory/03-integrations/02-identity-integration/Dockerfile
@@ -1,4 +1,5 @@
-FROM ghcr.io/astral-sh/uv:python3.13-bookworm-slim
+FROM public.ecr.aws/docker/library/python:3.13-slim-trixie
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
 WORKDIR /app
 
 # All environment variables in one layer
diff --git a/01-features/04-manage-context-of-your-agent/memory/05-security/01-iam-scoped-access/Dockerfile b/01-features/04-manage-context-of-your-agent/memory/05-security/01-iam-scoped-access/Dockerfile
@@ -1,4 +1,5 @@
-FROM ghcr.io/astral-sh/uv:python3.13-bookworm-slim
+FROM public.ecr.aws/docker/library/python:3.13-slim-trixie
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
 WORKDIR /app
 
 # All environment variables in one layer
diff --git a/01-features/04-manage-context-of-your-agent/memory/05-security/02-cognito-federated-identity/Dockerfile b/01-features/04-manage-context-of-your-agent/memory/05-security/02-cognito-federated-identity/Dockerfile
@@ -1,4 +1,5 @@
-FROM ghcr.io/astral-sh/uv:python3.13-bookworm-slim
+FROM public.ecr.aws/docker/library/python:3.13-slim-trixie
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
 WORKDIR /app
 
 # All environment variables in one layer
diff --git a/01-features/07-centralize-and-govern-your-ai-infrastructure/03-registry/03-advanced/discovery-and-invocation-at-runtime/Dockerfile b/01-features/07-centralize-and-govern-your-ai-infrastructure/03-registry/03-advanced/discovery-and-invocation-at-runtime/Dockerfile
@@ -1,4 +1,5 @@
-FROM ghcr.io/astral-sh/uv:python3.13-bookworm-slim
+FROM public.ecr.aws/docker/library/python:3.13-slim-trixie
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
 WORKDIR /app
 
 # All environment variables in one layer
diff --git a/01-features/07-centralize-and-govern-your-ai-infrastructure/03-registry/03-advanced/publish-agentcore-tools-in-registry/Dockerfile b/01-features/07-centralize-and-govern-your-ai-infrastructure/03-registry/03-advanced/publish-agentcore-tools-in-registry/Dockerfile
@@ -1,4 +1,5 @@
-FROM ghcr.io/astral-sh/uv:python3.13-bookworm-slim
+FROM public.ecr.aws/docker/library/python:3.13-slim-trixie
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
 WORKDIR /app
 
 # All environment variables in one layer
diff --git a/01-features/08-agents-that-transact/02-use-cases/pay-for-content-browser-use/agent/Dockerfile b/01-features/08-agents-that-transact/02-use-cases/pay-for-content-browser-use/agent/Dockerfile
@@ -1,4 +1,4 @@
-FROM public.ecr.aws/docker/library/python:3.13-slim-bookworm
+FROM public.ecr.aws/docker/library/python:3.13-slim-trixie
 
 WORKDIR /app
 
diff --git a/01-features/08-agents-that-transact/02-use-cases/pay-for-data/agent/Dockerfile b/01-features/08-agents-that-transact/02-use-cases/pay-for-data/agent/Dockerfile
@@ -1,4 +1,4 @@
-FROM public.ecr.aws/docker/library/python:3.13-slim-bookworm
+FROM public.ecr.aws/docker/library/python:3.13-slim-trixie
 
 WORKDIR /app
 
diff --git a/06-workshops/07-AgentCore-evaluations/05-groundtruth-based-evalautions/Dockerfile b/06-workshops/07-AgentCore-evaluations/05-groundtruth-based-evalautions/Dockerfile
@@ -1,4 +1,5 @@
-FROM ghcr.io/astral-sh/uv:python3.13-bookworm-slim
+FROM public.ecr.aws/docker/library/python:3.13-slim-trixie
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
 WORKDIR /app
 
 # All environment variables in one layer
diff --git a/06-workshops/13-AgentCore-payments/02-use-cases/pay-for-content-browser-use/agent/Dockerfile b/06-workshops/13-AgentCore-payments/02-use-cases/pay-for-content-browser-use/agent/Dockerfile
@@ -1,4 +1,4 @@
-FROM public.ecr.aws/docker/library/python:3.13-slim-bookworm
+FROM public.ecr.aws/docker/library/python:3.13-slim-trixie
 
 WORKDIR /app
 
diff --git a/06-workshops/13-AgentCore-payments/02-use-cases/pay-for-data/agent/Dockerfile b/06-workshops/13-AgentCore-payments/02-use-cases/pay-for-data/agent/Dockerfile
@@ -1,4 +1,4 @@
-FROM public.ecr.aws/docker/library/python:3.13-slim-bookworm
+FROM public.ecr.aws/docker/library/python:3.13-slim-trixie
 
 WORKDIR /app
 

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM public.ecr.aws/docker/library/python:3.13-slim-bookworm`
	`1`	`+FROM public.ecr.aws/docker/library/python:3.13-slim-trixie`
`2`	`2`
`3`	`3`	`WORKDIR /app`
`4`	`4`