From 34dac28c552d64283f4db86874ee230d55c944a1 Mon Sep 17 00:00:00 2001 From: "Chris S. Kim" Date: Thu, 14 Mar 2024 14:07:17 +0000 Subject: [PATCH 1/2] backport of commit a860f16f97d40521de5f4347ff7ee3db1b102e11 --- .go-version | 2 +- control-plane/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.go-version b/.go-version index 8819d012ce..428abfd24f 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.21.7 +1.21.8 diff --git a/control-plane/Dockerfile b/control-plane/Dockerfile index 38c2ed8fc3..30b26f460f 100644 --- a/control-plane/Dockerfile +++ b/control-plane/Dockerfile @@ -17,7 +17,7 @@ # go-discover builds the discover binary (which we don't currently publish # either). ARG GOLANG_VERSION -FROM golang:${GOLANG_VERSION}-alpine as go-discover +FROM golang:${GOLANG_VERSION}-alpine3.19 as go-discover RUN CGO_ENABLED=0 go install github.com/hashicorp/go-discover/cmd/discover@214571b6a5309addf3db7775f4ee8cf4d264fd5f # dev copies the binary from a local build From a5c207966d36720f1a874dce28c67d8a19c7c46e Mon Sep 17 00:00:00 2001 From: "Chris S. Kim" Date: Thu, 14 Mar 2024 14:11:37 +0000 Subject: [PATCH 2/2] backport of commit 81746326794a903d27cf5152a43fc931e7b52e3f --- .changelog/3741.txt | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .changelog/3741.txt diff --git a/.changelog/3741.txt b/.changelog/3741.txt new file mode 100644 index 0000000000..496f73597b --- /dev/null +++ b/.changelog/3741.txt @@ -0,0 +1,14 @@ +```release-note:security +Upgrade to use Go `1.21.8`. This resolves CVEs +[CVE-2024-24783](https://nvd.nist.gov/vuln/detail/CVE-2024-24783) (`crypto/x509`). +[CVE-2023-45290](https://nvd.nist.gov/vuln/detail/CVE-2023-45290) (`net/http`). +[CVE-2023-45289](https://nvd.nist.gov/vuln/detail/CVE-2023-45289) (`net/http`, `net/http/cookiejar`). +[CVE-2024-24785](https://nvd.nist.gov/vuln/detail/CVE-2024-24785) (`html/template`). +[CVE-2024-24784](https://nvd.nist.gov/vuln/detail/CVE-2024-24784) (`net/mail`). +``` + +```release-note:security +Update the Consul Build Go base image to `alpine3.19`. This resolves CVEs +[CVE-2023-52425](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) +[CVE-2023-52426⁠](https://nvd.nist.gov/vuln/detail/CVE-2023-52426) +``` \ No newline at end of file