Investigate unresolved deployer CVEs after remediation pass 1

[josecelano]

Overview

Track unresolved vulnerabilities that remain in torrust/tracker-deployer:local after remediation pass 1 from issue #428.

Context

Issue #428 reduced deployer findings from 49 HIGH to 44 HIGH and left 1 CRITICAL open in OpenTofu binary findings.

Remaining areas:

• Debian 13.4 base package vulnerabilities (HIGH)
• OpenTofu binary vulnerabilities (2 HIGH, 1 CRITICAL)

Goals

• Verify which remaining CVEs are fixable immediately
• Evaluate OpenTofu upgrade/pinning options to remove CRITICAL finding
• Document accepted risk for non-fixable base-package CVEs
• Propose next remediation PR scope

Acceptance Criteria

• Re-run vuln-only scan and map CVEs to fix availability
• Validate whether newer OpenTofu release clears critical finding
• Document recommendation (apply fix now / wait for upstream)
• Pre-commit checks pass: ./scripts/pre-commit.sh

Related

• Parent: Analyze and remediate Docker image vulnerabilities from April 8, 2026 scan #428
• Epic: Implement Automated Docker Image Vulnerability Scanning #250

[josecelano]

Keeping this as the canonical follow-up issue; duplicate #430 has been closed.