diff --git a/.changelog/3741.txt b/.changelog/3741.txt new file mode 100644 index 0000000000..496f73597b --- /dev/null +++ b/.changelog/3741.txt @@ -0,0 +1,14 @@ +```release-note:security +Upgrade to use Go `1.21.8`. This resolves CVEs +[CVE-2024-24783](https://nvd.nist.gov/vuln/detail/CVE-2024-24783) (`crypto/x509`). +[CVE-2023-45290](https://nvd.nist.gov/vuln/detail/CVE-2023-45290) (`net/http`). +[CVE-2023-45289](https://nvd.nist.gov/vuln/detail/CVE-2023-45289) (`net/http`, `net/http/cookiejar`). +[CVE-2024-24785](https://nvd.nist.gov/vuln/detail/CVE-2024-24785) (`html/template`). +[CVE-2024-24784](https://nvd.nist.gov/vuln/detail/CVE-2024-24784) (`net/mail`). +``` + +```release-note:security +Update the Consul Build Go base image to `alpine3.19`. This resolves CVEs +[CVE-2023-52425](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) +[CVE-2023-52426⁠](https://nvd.nist.gov/vuln/detail/CVE-2023-52426) +``` \ No newline at end of file diff --git a/.go-version b/.go-version index 8819d012ce..428abfd24f 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.21.7 +1.21.8 diff --git a/control-plane/Dockerfile b/control-plane/Dockerfile index dda0ab6a96..b1752507fd 100644 --- a/control-plane/Dockerfile +++ b/control-plane/Dockerfile @@ -17,7 +17,7 @@ # go-discover builds the discover binary (which we don't currently publish # either). ARG GOLANG_VERSION -FROM golang:${GOLANG_VERSION}-alpine as go-discover +FROM golang:${GOLANG_VERSION}-alpine3.19 as go-discover RUN CGO_ENABLED=0 go install github.com/hashicorp/go-discover/cmd/discover@214571b6a5309addf3db7775f4ee8cf4d264fd5f # dev copies the binary from a local build