Keepalived Image Patched: Vulnerable pip Version Excluded to Mitigate CVE-2026-1703

A critical security patch has been applied to the `keepalived` container image, explicitly removing a vulnerable version of the `pip` package manager to address CVE-2026-1703. The modification to the `werf.inc.yaml` configuration ensures the insecure `pip-25.3*` version is excluded from the final production artifact, directly mitigating a known security vulnerability that could affect production environments. This is not a routine update but a targeted security fix deemed necessary for immediate deployment.

The change targets the `keepalived` module's build process, where `pip` is used to install dependencies. Recognizing that the package manager is not required for the container's runtime operation, the patch enforces a security best practice by stripping it from the final image. This action prevents potential exploits associated with the vulnerable `pip` version from being present in live deployments, effectively closing a door that could be leveraged in an attack.

The urgency for inclusion in a patch release underscores the assessed risk. The fix is framed as essential to ensuring platform security and protecting production systems, indicating that the vulnerability posed a tangible threat to operational integrity. This move highlights the ongoing internal pressure to harden containerized infrastructure against specific, identified CVEs, reflecting a responsive security posture within the project's maintenance cycle.