From a860f16f97d40521de5f4347ff7ee3db1b102e11 Mon Sep 17 00:00:00 2001 From: "Chris S. Kim" Date: Thu, 14 Mar 2024 10:07:17 -0400 Subject: [PATCH 1/2] Upgrade to use Go `1.21.8`. This resolves CVEs [CVE-2024-24783](https://nvd.nist.gov/vuln/detail/CVE-2024-24783) (`crypto/x509`). [CVE-2023-45290](https://nvd.nist.gov/vuln/detail/CVE-2023-45290) (`net/http`). [CVE-2023-45289](https://nvd.nist.gov/vuln/detail/CVE-2023-45289) (`net/http`, `net/http/cookiejar`). [CVE-2024-24785](https://nvd.nist.gov/vuln/detail/CVE-2024-24785) (`html/template`). [CVE-2024-24784](https://nvd.nist.gov/vuln/detail/CVE-2024-24784) (`net/mail`). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update the Consul Build Go base image to `alpine3.19`. This resolves CVEs [CVE-2023-52425](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) [CVE-2023-52426⁠](https://nvd.nist.gov/vuln/detail/CVE-2023-52426) --- .go-version | 2 +- control-plane/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.go-version b/.go-version index 8819d012ce..428abfd24f 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.21.7 +1.21.8 diff --git a/control-plane/Dockerfile b/control-plane/Dockerfile index dda0ab6a96..b1752507fd 100644 --- a/control-plane/Dockerfile +++ b/control-plane/Dockerfile @@ -17,7 +17,7 @@ # go-discover builds the discover binary (which we don't currently publish # either). ARG GOLANG_VERSION -FROM golang:${GOLANG_VERSION}-alpine as go-discover +FROM golang:${GOLANG_VERSION}-alpine3.19 as go-discover RUN CGO_ENABLED=0 go install github.com/hashicorp/go-discover/cmd/discover@214571b6a5309addf3db7775f4ee8cf4d264fd5f # dev copies the binary from a local build From 81746326794a903d27cf5152a43fc931e7b52e3f Mon Sep 17 00:00:00 2001 From: "Chris S. Kim" Date: Thu, 14 Mar 2024 10:11:37 -0400 Subject: [PATCH 2/2] Add changelog --- .changelog/3741.txt | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .changelog/3741.txt diff --git a/.changelog/3741.txt b/.changelog/3741.txt new file mode 100644 index 0000000000..496f73597b --- /dev/null +++ b/.changelog/3741.txt @@ -0,0 +1,14 @@ +```release-note:security +Upgrade to use Go `1.21.8`. This resolves CVEs +[CVE-2024-24783](https://nvd.nist.gov/vuln/detail/CVE-2024-24783) (`crypto/x509`). +[CVE-2023-45290](https://nvd.nist.gov/vuln/detail/CVE-2023-45290) (`net/http`). +[CVE-2023-45289](https://nvd.nist.gov/vuln/detail/CVE-2023-45289) (`net/http`, `net/http/cookiejar`). +[CVE-2024-24785](https://nvd.nist.gov/vuln/detail/CVE-2024-24785) (`html/template`). +[CVE-2024-24784](https://nvd.nist.gov/vuln/detail/CVE-2024-24784) (`net/mail`). +``` + +```release-note:security +Update the Consul Build Go base image to `alpine3.19`. This resolves CVEs +[CVE-2023-52425](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) +[CVE-2023-52426⁠](https://nvd.nist.gov/vuln/detail/CVE-2023-52426) +``` \ No newline at end of file