fix: Migrate voice-agent to Amazon Linux 2023 to eliminate CRITICAL CVEs

[nkumaraws]

Summary

Migrates the voice-agent container from Debian to Amazon Linux 2023 to eliminate 5 CRITICAL security vulnerabilities in gnutls and mbedtls packages.

Problem

Container vulnerability scans identified 5 CRITICAL CVEs in the voice-agent container:

• CVE-2026-42010 (CVSS 9.8) - gnutls: RSA-PSK authentication bypass
• CVE-2026-33845 - gnutls: DTLS handshake parsing flaw
• CVE-2026-34872 (CVSS 9.1) - mbedtls: Memory corruption vulnerability
• CVE-2026-34873 (CVSS 9.1) - mbedtls: Client impersonation during TLS 1.3 session resumption
• CVE-2026-34875 (CVSS 9.8) - mbedtls: Remote code execution vulnerability

These vulnerabilities exist in Debian bookworm (stable) packages gnutls28 and mbedtls. Security patches are only available in Debian sid (unstable), which is not suitable for production use.

Verification from Debian Security Tracker

• gnutls28: Fixed in sid (3.8.13-1), vulnerable in bookworm (3.7.9-2+deb12u6)
• mbedtls: Fixed in sid (3.6.6-0.1), vulnerable in bookworm (2.28.3-1)

Solution

Migrated to Amazon Linux 2023 base image for the voice-agent container:

Why Amazon Linux 2023?

1. Eliminates vulnerable packages: Amazon Linux 2023 uses OpenSSL instead of gnutls/mbedtls, so the vulnerable packages don't exist
2. Better AWS integration: Official AWS support and optimized for AWS workloads
3. Minimal migration effort: Uses similar package ecosystem (yum/rpm vs apt/deb)
4. Smaller image size: 688 MB vs 1102 MB (Debian)

Technical Changes

• Updated from python:3.13-slim (Debian) to public.ecr.aws/amazonlinux/amazonlinux:2023
• Changed package manager from apt-get to yum
• Added Python 3.13 via Amazon Linux packages (python3.13, python3.13-pip, python3.13-devel)
• Added shadow-utils for user management tools (useradd)
• Updated base image pull in buildspec for Docker cache warming
• Maintained multi-stage build pattern for optimal security

Results

Before (Debian bookworm):

• 5 CRITICAL vulnerabilities
• 10-12 HIGH vulnerabilities
• Total: ~27 vulnerabilities

After (Amazon Linux 2023):

• ✅ 0 CRITICAL vulnerabilities
• ✅ 0 HIGH vulnerabilities
• ✅ 0 MEDIUM vulnerabilities
• ✅ 0 LOW vulnerabilities

Verified with AWS ECR vulnerability scanning in multiple production accounts.

Files Changed

• backend/voice-agent/Dockerfile - Migrated from Debian to Amazon Linux 2023
• buildspec-voice-agent.yml - Updated base image for cache warming
• buildspec-*.yml (new) - Added CodeBuild buildspecs for automated container builds

Testing

• ✅ Built and tested locally
• ✅ Successfully deployed to production AWS accounts via CodeBuild
• ✅ ECR vulnerability scans show 0 findings
• ✅ ECS services running with updated containers
• ✅ Application functionality verified (no breaking changes)

Scope

Updated in this PR:

• voice-agent container only (the affected container with CRITICAL CVEs)

Not updated:

• Other capability agents (CRM, KB, Appointment) were not flagged with CRITICAL vulnerabilities and passed security scans

Deployment Impact

• Breaking changes: None - application code unchanged
• Image size: Reduced from ~1102 MB to ~688 MB
• Base OS: Debian → Amazon Linux 2023
• Python version: Maintained at 3.13
• Dependencies: All Python packages unchanged

Backwards Compatibility

The container maintains the same:

• Exposed ports (8080)
• Environment variables
• Entrypoint behavior
• Application functionality
• API contracts

This is a drop-in replacement with improved security.

---

Tested in production: Successfully deployed and running in multiple AWS accounts with zero vulnerabilities.