Redpanda 24.3

hardened latest

Full version: 25.3.5 Analyzed: 2026-02-11

Size Reduction 67% 484.1 MB to 158.6 MB (325.5 MB saved)

Component Reduction -43% 119 to 170 packages (-51 removed)

Vulnerability Reduction 80% 49 to 10 vulnerabilities (39 eliminated)

Image Comparison

Property	upstream	hardened
Image	docker.io/redpandadata/redpanda:v25.3.5	ghcr.io/armorred/redpanda:25.3.5-hardened
Size	484.1 MB	158.6 MB
Layers	5	18
Components	119	170
Vulnerabilities	49	10
Runtime User	redpanda	999

Vulnerability Analysis

upstream 49 total

2critical

12high

30medium

2low

hardened 10 total

4medium

Upstream vulnerability details (49)

CVE ID	Severity	Package	Version	Fixed In
DEBIAN-CVE-2011-3374	low	apt	3.0.3	unfixed
DEBIAN-CVE-2022-3715	high	bash	5.2.37-2+b7	5.2-1
DEBIAN-CVE-2018-7738	high	bash-completion	1:2.16.0-7	2.31.1-0.5
DEBIAN-CVE-2016-2781	medium	coreutils	9.7-3	9.4-1
DEBIAN-CVE-2017-18018	medium	coreutils	9.7-3	unfixed
DEBIAN-CVE-2025-5278	medium	coreutils	9.7-3	unfixed
DEBIAN-CVE-2021-22922	medium	curl	8.14.1-2+deb13u2	7.79.1-1
DEBIAN-CVE-2021-22923	medium	curl	8.14.1-2+deb13u2	7.79.1-1
DEBIAN-CVE-2022-42916	high	curl	8.14.1-2+deb13u2	7.86.0-1
DEBIAN-CVE-2022-43551	high	curl	8.14.1-2+deb13u2	7.86.0-3
DEBIAN-CVE-2023-23914	critical	curl	8.14.1-2+deb13u2	7.88.1-1
DEBIAN-CVE-2023-23915	medium	curl	8.14.1-2+deb13u2	7.88.1-1
DEBIAN-CVE-2023-28320	medium	curl	8.14.1-2+deb13u2	7.88.1-10
DEBIAN-CVE-2023-46219	medium	curl	8.14.1-2+deb13u2	7.88.1-10+deb12u5
DEBIAN-CVE-2024-2379	medium	curl	8.14.1-2+deb13u2	8.7.1-1
DEBIAN-CVE-2024-9681	medium	curl	8.14.1-2+deb13u2	7.88.1-10+deb12u9
DEBIAN-CVE-2025-0725	high	curl	8.14.1-2+deb13u2	8.12.0+git20250209.89ed161+ds-1
DEBIAN-CVE-2025-10148	medium	curl	8.14.1-2+deb13u2	8.14.1-2+deb13u1
DEBIAN-CVE-2025-10966	medium	curl	8.14.1-2+deb13u2	8.17.0~rc2-1
DEBIAN-CVE-2025-11563	unknown	curl	8.14.1-2+deb13u2	8.14.1-2+deb13u2
DEBIAN-CVE-2025-13034	medium	curl	8.14.1-2+deb13u2	8.18.0~rc2-1
DEBIAN-CVE-2025-14017	medium	curl	8.14.1-2+deb13u2	8.18.0~rc2-1
DEBIAN-CVE-2025-14524	medium	curl	8.14.1-2+deb13u2	8.18.0~rc2-1
DEBIAN-CVE-2025-14819	medium	curl	8.14.1-2+deb13u2	8.18.0~rc3-1
DEBIAN-CVE-2025-15079	medium	curl	8.14.1-2+deb13u2	8.18.0~rc3-1
DEBIAN-CVE-2025-15224	low	curl	8.14.1-2+deb13u2	8.18.0-1
DEBIAN-CVE-2025-9086	high	curl	8.14.1-2+deb13u2	8.14.1-2+deb13u1
DEBIAN-CVE-2025-6297	high	dpkg	1.22.21	1.22.21
DEBIAN-CVE-2025-13151	high	libtasn1-6	4.20.0-2	4.21.0-2
DEBIAN-CVE-2025-11187	medium	openssl	3.5.4-1~deb13u1	3.5.4-1~deb13u2
DEBIAN-CVE-2025-15467	critical	openssl	3.5.4-1~deb13u1	3.0.18-1~deb12u2
DEBIAN-CVE-2025-15468	medium	openssl	3.5.4-1~deb13u1	3.5.4-1~deb13u2
DEBIAN-CVE-2025-15469	medium	openssl	3.5.4-1~deb13u1	3.5.4-1~deb13u2
DEBIAN-CVE-2025-27587	medium	openssl	3.5.4-1~deb13u1	3.5.0-1
DEBIAN-CVE-2025-66199	medium	openssl	3.5.4-1~deb13u1	3.5.4-1~deb13u2
DEBIAN-CVE-2025-68160	medium	openssl	3.5.4-1~deb13u1	3.0.18-1~deb12u2
DEBIAN-CVE-2025-69418	medium	openssl	3.5.4-1~deb13u1	3.0.18-1~deb12u2
DEBIAN-CVE-2025-69419	high	openssl	3.5.4-1~deb13u1	3.0.18-1~deb12u2
DEBIAN-CVE-2025-69420	high	openssl	3.5.4-1~deb13u1	3.0.18-1~deb12u2
DEBIAN-CVE-2025-69421	high	openssl	3.5.4-1~deb13u1	3.0.18-1~deb12u2
DEBIAN-CVE-2025-9230	high	openssl	3.5.4-1~deb13u1	1.1.1w-0+deb11u4
DEBIAN-CVE-2025-9231	medium	openssl	3.5.4-1~deb13u1	3.5.1-1+deb13u1
DEBIAN-CVE-2025-9232	medium	openssl	3.5.4-1~deb13u1	3.0.17-1~deb12u3
DEBIAN-CVE-2026-22795	medium	openssl	3.5.4-1~deb13u1	3.0.18-1~deb12u2
DEBIAN-CVE-2026-22796	medium	openssl	3.5.4-1~deb13u1	3.0.18-1~deb12u2
DSA-6113-1	unknown	openssl	3.5.4-1~deb13u1	3.0.18-1~deb12u2
DEBIAN-CVE-2005-2541	unknown	tar	1.35+dfsg-3.1	unfixed
DEBIAN-CVE-2022-0563	medium	util-linux	2.41-5	unfixed
DEBIAN-CVE-2025-14104	medium	util-linux	2.41-5	2.41.3-1

Hardened vulnerability details (10)

CVE ID	Severity	Package	Version	Fixed In
GO-2022-0635	unknown	github.com/aws/aws-sdk-go	v1.55.6	unfixed
GO-2022-0646	unknown	github.com/aws/aws-sdk-go	v1.55.6	unfixed
GO-2025-4134	medium	golang.org/x/crypto	v0.43.0	0.45.0
GO-2025-4135	medium	golang.org/x/crypto	v0.43.0	0.45.0
GHSA-f6x5-jh6r-wrfv	medium	golang.org/x/crypto	v0.43.0	0.45.0
GHSA-j5w8-q4qc-rx2x	medium	golang.org/x/crypto	v0.43.0	0.45.0
GO-2026-4337	unknown	stdlib	1.25.5	1.24.13
GO-2026-4340	unknown	stdlib	1.25.5	1.24.12
GO-2026-4341	unknown	stdlib	1.25.5	1.24.12
GO-2026-4342	unknown	stdlib	1.25.5	1.24.12

Software Bill of Materials

upstream components (119)

apt 3.0.3
base-files 13.8+deb13u3
base-passwd 3.6.7
bash 5.2.37-2+b7
bash-completion 1:2.16.0-7
bsdutils 1:2.41-5
ca-certificates 20250419
coreutils 9.7-3
curl 8.14.1-2+deb13u2
dash 0.5.12-12
debconf 1.5.91
debian-archive-keyring 2025.1
debianutils 5.23.2
diffutils 1:3.10-4
dpkg 1.22.21
findutils 4.10.0-3
gcc-14-base 14.2.0-19
grep 3.11-4
gzip 1.13-1
hostname 3.25
init-system-helpers 1.69~deb13u1
inotify-tools 4.23.9.0-2+b1
krb5-locales 1.21.3-5
libacl1 2.3.2-2+b1
libapt-pkg7.0 3.0.3
libattr1 1:2.5.2-3
libaudit-common 1:4.0.2-2
libaudit1 1:4.0.2-2+b2
libblkid1 2.41-5
libbrotli1 1.1.0-2+b7
libbsd0 0.12.2-2
libbz2-1.0 1.0.8-6
libc-bin 2.41-12+deb13u1
libc6 2.41-12+deb13u1
libcap-ng0 0.8.5-4+b1
libcap2 1:2.75-10+b3
libcom-err2 1.47.2-3+b7
libcrypt1 1:4.4.38-1
libcurl4t64 8.14.1-2+deb13u2
libdb5.3t64 5.3.28+dfsg2-9
libdebconfclient0 0.280
libffi8 3.4.8-2
libgcc-s1 14.2.0-19
libgmp10 2:6.3.0+dfsg-3
libgnutls30t64 3.8.9-3+deb13u1
libgpm2 1.20.7-11+b2
libgssapi-krb5-2 1.21.3-5
libhogweed6t64 3.10.1-1
libidn2-0 2.3.8-2
libinotifytools0 4.23.9.0-2+b1
libk5crypto3 1.21.3-5
libkeyutils1 1.6.3-6
libkrb5-3 1.21.3-5
libkrb5support0 1.21.3-5
liblastlog2-2 2.41-5
libldap-common 2.6.10+dfsg-1
libldap2 2.6.10+dfsg-1
liblz4-1 1.10.0-4
liblzma5 5.8.1-1
libmd0 1.1.0-2+b1
libmount1 2.41-5
libncursesw6 6.5+20250216-2
libnettle8t64 3.10.1-1
libnghttp2-14 1.64.0-1.1
libnghttp3-9 1.8.0-1
libp11-kit0 0.25.5-3
libpam-modules 1.7.0-5
libpam-modules-bin 1.7.0-5
libpam-runtime 1.7.0-5
libpam0g 1.7.0-5
libpcre2-8-0 10.46-1~deb13u1
libpsl5t64 0.21.2-1.1+b1
librtmp1 2.4+20151223.gitfa8646d.1-2+b5
libsasl2-2 2.1.28+dfsg1-9
libsasl2-modules 2.1.28+dfsg1-9
libsasl2-modules-db 2.1.28+dfsg1-9
libseccomp2 2.6.0-2
libselinux1 3.8.1-1
libsemanage-common 3.8.1-1
libsemanage2 3.8.1-1
libsepol2 3.8.1-1
libsmartcols1 2.41-5
libsqlite3-0 3.46.1-7
libssh2-1t64 1.11.1-1
libssl3t64 3.5.4-1~deb13u1
libstdc++6 14.2.0-19
libsystemd0 257.9-1~deb13u1
libtasn1-6 4.20.0-2
libtinfo6 6.5+20250216-2
libudev1 257.9-1~deb13u1
libunistring5 1.3-2
libuuid1 2.41-5
libxxhash0 0.8.3-2
libzstd1 1.5.7+dfsg-1
login 1:4.16.0-2+really2.41-5
login.defs 1:4.17.4-2
mawk 1.3.4.20250131-1
mount 2.41-5
nano 8.4-1
ncurses-base 6.5+20250216-2
ncurses-bin 6.5+20250216-2
openssl 3.5.4-1~deb13u1
openssl-provider-legacy 3.5.4-1~deb13u1
passwd 1:4.17.4-2
perl-base 5.40.1-6
publicsuffix 20250328.1952-0.1
redpanda 25.3.5-1
redpanda-rpk 25.3.5-1
redpanda-tuner 25.3.5-1
sed 4.9-2
sqv 1.3.0-3+b2
sysvinit-utils 3.14-4
tar 1.35+dfsg-3.1
tzdata 2025b-4+deb13u1
util-linux 2.41-5
vim-common 2:9.1.1230-2
vim-tiny 2:9.1.1230-2
xxd 2:9.1.1230-2
zlib1g 1:1.3.dfsg+really1.3.1-1+b1

hardened components (170)

acl 2.3.2
attr 2.5.2
bash-interactive 5.3p3
buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.10-20250912141014-52f32327d4b0.1
buf.build/gen/go/grpc-ecosystem/grpc-gateway/protocolbuffers/go v1.36.10-20240617172850-a48fcebcf8f1.1
buf.build/gen/go/redpandadata/cloud/connectrpc/go v1.19.1-20251208213618-d95eb1f5bf36.2
buf.build/gen/go/redpandadata/cloud/protocolbuffers/go v1.36.10-20251209175915-c155e3b17438.1
buf.build/gen/go/redpandadata/common/protocolbuffers/go v1.36.10-20251106193941-bb850a944663.1
buf.build/gen/go/redpandadata/core/connectrpc/go v1.19.1-20251125205739-05aa34b3829a.2
buf.build/gen/go/redpandadata/core/protocolbuffers/go v1.36.10-20251204205609-c0c7c0a68f89.1
buf.build/gen/go/redpandadata/dataplane/connectrpc/go v1.19.1-20251209134521-106822fddcf0.2
buf.build/gen/go/redpandadata/dataplane/protocolbuffers/go v1.36.10-20251209134521-106822fddcf0.1
buf.build/gen/go/redpandadata/gatekeeper/connectrpc/go v1.19.1-20251022210437-a5dd600d04b6.2
buf.build/gen/go/redpandadata/gatekeeper/protocolbuffers/go v1.36.10-20251022210437-a5dd600d04b6.1
cloud.google.com/go/compute/metadata v0.9.0
connectrpc.com/connect v1.19.1
coreutils 9.8
gcc 15.2.0
gcc 15.2.0
github.com/AlecAivazis/survey/v2 v2.3.7
github.com/avast/retry-go v3.0.0+incompatible
github.com/aws/aws-sdk-go v1.55.6
github.com/bahlo/generic-list-go v0.2.0
github.com/beevik/ntp v1.5.0
github.com/briandowns/spinner v1.23.2
github.com/bufbuild/protocompile v0.14.1
github.com/buger/jsonparser v1.1.1
github.com/cespare/xxhash v1.1.0
github.com/cloudflare/cfssl v1.6.5
github.com/containerd/errdefs v1.0.0
github.com/containerd/errdefs/pkg v0.3.0
github.com/coreos/go-systemd/v22 v22.5.0
github.com/davecgh/go-spew v1.1.1
github.com/distribution/reference v0.6.0
github.com/docker/docker v28.3.3+incompatible
github.com/docker/go-connections v0.5.0
github.com/docker/go-units v0.5.0
github.com/emicklei/go-restful/v3 v3.11.0
github.com/fatih/color v1.18.0
github.com/felixge/httpsnoop v1.0.4
github.com/fxamacker/cbor/v2 v2.7.0
github.com/go-logr/logr v1.4.3
github.com/go-logr/stdr v1.2.2
github.com/go-openapi/jsonpointer v0.21.0
github.com/go-openapi/jsonreference v0.20.2
github.com/go-openapi/swag v0.23.0
github.com/godbus/dbus/v5 v5.0.4
github.com/gogo/protobuf v1.3.2
github.com/golang/snappy v0.0.4
github.com/google/gnostic-models v0.6.9
github.com/google/go-cmp v0.7.0
github.com/google/uuid v1.6.0
github.com/hashicorp/errwrap v1.1.0
github.com/hashicorp/go-multierror v1.1.1
github.com/invopop/jsonschema v0.13.0
github.com/jmespath/go-jmespath v0.4.0
github.com/josharian/intern v1.0.0
github.com/json-iterator/go v1.1.12
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
github.com/klauspost/compress v1.18.1
github.com/kr/text v0.2.0
github.com/lestrrat-go/blackmagic v1.0.3
github.com/lestrrat-go/httpcc v1.0.1
github.com/lestrrat-go/httprc v1.0.6
github.com/lestrrat-go/iter v1.0.2
github.com/lestrrat-go/jwx/v2 v2.1.6
github.com/lestrrat-go/option v1.0.1
github.com/linkedin/goavro/v2 v2.14.1
github.com/lithammer/go-jump-consistent-hash v1.0.2
github.com/lorenzosaino/go-sysctl v0.3.1
github.com/mailru/easyjson v0.7.7
github.com/mark3labs/mcp-go v0.37.0
github.com/mattn/go-colorable v0.1.13
github.com/mattn/go-isatty v0.0.20
github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b
github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db
github.com/mitchellh/mapstructure v1.5.0
github.com/moby/docker-image-spec v1.3.1
github.com/moby/term v0.5.2
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
github.com/modern-go/reflect2 v1.0.2
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.1.1
github.com/pierrec/lz4/v4 v4.1.22
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
github.com/pkg/errors v0.9.1
github.com/prometheus/client_model v0.6.2
github.com/prometheus/common v0.65.0
github.com/redpanda-data/common-go/api v0.0.0-20250801174835-9eea07f1ea06
github.com/redpanda-data/common-go/net v0.1.0
github.com/redpanda-data/common-go/proto v0.0.0-20250820120127-9b518fca5ecf
github.com/redpanda-data/common-go/rpadmin v0.2.1
github.com/redpanda-data/common-go/rpsr v0.1.2
github.com/redpanda-data/go-avro/v2 v2.0.0-20240405204525-77b1144dc525
github.com/redpanda-data/protoc-gen-go-mcp v0.0.0-20250812151819-7e5d5fef8241
github.com/redpanda-data/redpanda/src/go/rpk UNKNOWN
github.com/rivo/uniseg v0.4.7
github.com/rs/xid v1.6.0
github.com/safchain/ethtool v0.6.2
github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
github.com/schollz/progressbar/v3 v3.18.0
github.com/sethgrid/pester v1.2.0
github.com/spf13/afero v1.15.0
github.com/spf13/cast v1.7.1
github.com/spf13/cobra v1.10.1
github.com/spf13/pflag v1.0.10
github.com/tidwall/gjson v1.14.4
github.com/tidwall/match v1.1.1
github.com/tidwall/pretty v1.2.1
github.com/tidwall/sjson v1.2.5
github.com/tklauser/go-sysconf v0.3.15
github.com/tklauser/numcpus v0.10.0
github.com/twmb/franz-go v1.20.4
github.com/twmb/franz-go/pkg/kadm v1.17.1
github.com/twmb/franz-go/pkg/kmsg v1.12.0
github.com/twmb/franz-go/pkg/sr v1.5.0
github.com/twmb/franz-go/plugin/kzap v1.1.2
github.com/twmb/tlscfg v1.2.1
github.com/twmb/types v1.1.6
github.com/wk8/go-ordered-map/v2 v2.1.8
github.com/x448/float16 v0.8.4
github.com/yosida95/uritemplate/v3 v3.0.2
glibc 2.40-66
gmp-with-cxx 6.3.0
go.opentelemetry.io/auto/sdk v1.1.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0
go.opentelemetry.io/otel v1.37.0
go.opentelemetry.io/otel/metric v1.37.0
go.opentelemetry.io/otel/trace v1.37.0
go.uber.org/multierr v1.11.0
go.uber.org/zap v1.27.0
golang.org/x/crypto v0.43.0
golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
golang.org/x/net v0.46.0
golang.org/x/oauth2 v0.32.0
golang.org/x/sync v0.17.0
golang.org/x/sys v0.37.0
golang.org/x/term v0.36.0
golang.org/x/text v0.30.0
golang.org/x/time v0.9.0
google.golang.org/genproto v0.0.0-20250409194420-de1ac958c67a
google.golang.org/genproto/googleapis/api v0.0.0-20251103181224-f26f9409b101
google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda
google.golang.org/grpc v1.73.0
google.golang.org/protobuf v1.36.10
gopkg.in/evanphx/json-patch.v4 v4.12.0
gopkg.in/inf.v0 v0.9.1
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.1
iana-etc 20250505
k8s.io/api v0.33.3
k8s.io/apimachinery v0.33.3
k8s.io/client-go v0.33.3
k8s.io/klog/v2 v2.130.1
k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738
libidn2 2.3.8
libunistring 1.4.1
mailcap 2.1.54
ncurses 6.5
readline 8.3p1
redpanda-rpk 25.3.5
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3
sigs.k8s.io/randfill v1.0.0
sigs.k8s.io/structured-merge-diff/v4 v4.6.0
sigs.k8s.io/yaml v1.4.0
stdlib go1.25.5
tzdata 2025b
xgcc 15.2.0

Download SBOMs

Upstream SBOM Hardened SBOM

Usage

$
podman pull ghcr.io/armorred/redpanda:24.3

Verify Signature

$
cosign verify --key https://armorred.org/cosign.pub ghcr.io/armorred/redpanda:24.3