From 1aca95f825fd0e6d177959c4236900b044635919 Mon Sep 17 00:00:00 2001
From: Priya Ananthasankar <priyaananthasankar@mac.lan>
Date: Mon, 8 Dec 2025 13:47:28 -0800
Subject: [PATCH 1/4] Fixed Go Vulns due to istioctl and rootless docker kit

---
 linux/base.Dockerfile | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/linux/base.Dockerfile b/linux/base.Dockerfile
index 984f711c..15b22c50 100644
--- a/linux/base.Dockerfile
+++ b/linux/base.Dockerfile
@@ -171,13 +171,15 @@ RUN chmod 755 /usr/local/bin/ansible* \
   && /opt/ansible/bin/python -m pip install -r /usr/share/ansible/collections/ansible_collections/azure/azcollection/requirements.txt
 
 
-# Install latest version of Istio
+# Install specific version of Istio from GitHub releases
+ENV ISTIO_VERSION=1.28.1
 RUN export TMP_DIR=$(mktemp -d) \
-  && pushd "${TMP_DIR}"  \
-  && curl -sSL https://git.io/getLatestIstio | sh - \
-  && mv ./istio*/bin/istioctl /usr/local/bin/istioctl \
+  && cd "${TMP_DIR}" \
+  && curl -L https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz -o istio.tar.gz \
+  && tar -xzf istio.tar.gz \
+  && mv istio-${ISTIO_VERSION}/bin/istioctl /usr/local/bin/istioctl \
   && chmod 755 /usr/local/bin/istioctl \
-  && popd \
+  && cd / \
   && rm -rf "${TMP_DIR}"
 
 ENV GOROOT="/usr/lib/golang"
@@ -226,7 +228,7 @@ RUN curl -fsSL https://aka.ms/install-azd.sh | bash && \
   # Install rootless kit
   TMP_DIR=$(mktemp -d) && \
   pushd $TMP_DIR && \
-  ROOTLESSKIT_VERSION=$(curl https://api.github.com/repos/rootless-containers/rootlesskit/releases/latest | jq -r '.tag_name') && \
+  ROOTLESSKIT_VERSION=v2.3.5 && \
   curl -LO https://github.com/rootless-containers/rootlesskit/releases/download/${ROOTLESSKIT_VERSION}/rootlesskit-x86_64.tar.gz && \
   curl -LO https://github.com/rootless-containers/rootlesskit/releases/download/${ROOTLESSKIT_VERSION}/SHA256SUMS && \
   sha256sum -c SHA256SUMS --ignore-missing && \

From 4d872dcce413ce86c0a1c998de9b5fbdc67246d9 Mon Sep 17 00:00:00 2001
From: Priya Ananthasankar <priyagituniverse@gmail.com>
Date: Tue, 9 Dec 2025 17:03:03 -0800
Subject: [PATCH 2/4] Update base image location in Dockerfile

---
 linux/tools.Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux/tools.Dockerfile b/linux/tools.Dockerfile
index 3452b6b8..d3b0bfb3 100644
--- a/linux/tools.Dockerfile
+++ b/linux/tools.Dockerfile
@@ -4,7 +4,7 @@
 
 # To build yourself locally, override this location with a local image tag. See README.md for more detail
 
-ARG IMAGE_LOCATION=cloudconregprd.azurecr.io/public/azure-cloudshell:base.master.6850ceb0.20250930.1
+ARG IMAGE_LOCATION=cloudconregprd.azurecr.io/public/azure-cloudshell:base.base_image_vuln_fixes.1aca95f8.20251208.2
 
 # Copy from base build
 FROM ${IMAGE_LOCATION}

From 419208775ba70fb0fb8a9b3084b9bbbfefd668ee Mon Sep 17 00:00:00 2001
From: Priya Ananthasankar <priyaananthasankar@mac.lan>
Date: Tue, 9 Dec 2025 20:25:58 -0800
Subject: [PATCH 3/4] Fixed Go vulns due to istioctl

---
 linux/base.Dockerfile | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/linux/base.Dockerfile b/linux/base.Dockerfile
index 984f711c..15b22c50 100644
--- a/linux/base.Dockerfile
+++ b/linux/base.Dockerfile
@@ -171,13 +171,15 @@ RUN chmod 755 /usr/local/bin/ansible* \
   && /opt/ansible/bin/python -m pip install -r /usr/share/ansible/collections/ansible_collections/azure/azcollection/requirements.txt
 
 
-# Install latest version of Istio
+# Install specific version of Istio from GitHub releases
+ENV ISTIO_VERSION=1.28.1
 RUN export TMP_DIR=$(mktemp -d) \
-  && pushd "${TMP_DIR}"  \
-  && curl -sSL https://git.io/getLatestIstio | sh - \
-  && mv ./istio*/bin/istioctl /usr/local/bin/istioctl \
+  && cd "${TMP_DIR}" \
+  && curl -L https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz -o istio.tar.gz \
+  && tar -xzf istio.tar.gz \
+  && mv istio-${ISTIO_VERSION}/bin/istioctl /usr/local/bin/istioctl \
   && chmod 755 /usr/local/bin/istioctl \
-  && popd \
+  && cd / \
   && rm -rf "${TMP_DIR}"
 
 ENV GOROOT="/usr/lib/golang"
@@ -226,7 +228,7 @@ RUN curl -fsSL https://aka.ms/install-azd.sh | bash && \
   # Install rootless kit
   TMP_DIR=$(mktemp -d) && \
   pushd $TMP_DIR && \
-  ROOTLESSKIT_VERSION=$(curl https://api.github.com/repos/rootless-containers/rootlesskit/releases/latest | jq -r '.tag_name') && \
+  ROOTLESSKIT_VERSION=v2.3.5 && \
   curl -LO https://github.com/rootless-containers/rootlesskit/releases/download/${ROOTLESSKIT_VERSION}/rootlesskit-x86_64.tar.gz && \
   curl -LO https://github.com/rootless-containers/rootlesskit/releases/download/${ROOTLESSKIT_VERSION}/SHA256SUMS && \
   sha256sum -c SHA256SUMS --ignore-missing && \

From 783b461a98d647d568499bcaa239cd3092488d61 Mon Sep 17 00:00:00 2001
From: Priya Ananthasankar <priyaananthasankar@mac.lan>
Date: Tue, 9 Dec 2025 20:28:14 -0800
Subject: [PATCH 4/4] Fixed Go vulns due to istioctl

---
 linux/tools.Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux/tools.Dockerfile b/linux/tools.Dockerfile
index d3b0bfb3..3452b6b8 100644
--- a/linux/tools.Dockerfile
+++ b/linux/tools.Dockerfile
@@ -4,7 +4,7 @@
 
 # To build yourself locally, override this location with a local image tag. See README.md for more detail
 
-ARG IMAGE_LOCATION=cloudconregprd.azurecr.io/public/azure-cloudshell:base.base_image_vuln_fixes.1aca95f8.20251208.2
+ARG IMAGE_LOCATION=cloudconregprd.azurecr.io/public/azure-cloudshell:base.master.6850ceb0.20250930.1
 
 # Copy from base build
 FROM ${IMAGE_LOCATION}