Backport of [NET-8368] security: bump Go version to 1.21.8 into release/1.16.x (#20854)

* backport of commit d65cacc7a6 * backport of commit 60ab1568ca --------- Co-authored-by: dduzgun-security <deniz.duzgun@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
8 months ago · 8b32edd692
3 changed files with 16 additions and 2 deletions
--- a/.changelog/20812.txt
+++ b/.changelog/20812.txt
@ -0,0 +1,14 @@
+```release-note:security
+Upgrade to use Go `1.21.8`. This resolves CVEs
+[CVE-2024-24783](https://nvd.nist.gov/vuln/detail/CVE-2024-24783) (`crypto/x509`).
+[CVE-2023-45290](https://nvd.nist.gov/vuln/detail/CVE-2023-45290) (`net/http`).
+[CVE-2023-45289](https://nvd.nist.gov/vuln/detail/CVE-2023-45289) (`net/http`, `net/http/cookiejar`).
+[CVE-2024-24785](https://nvd.nist.gov/vuln/detail/CVE-2024-24785) (`html/template`).
+[CVE-2024-24784](https://nvd.nist.gov/vuln/detail/CVE-2024-24784) (`net/mail`).
+```
+
+```release-note:security
+Update the Consul Build Go base image to `alpine3.19`. This resolves CVEs
+[CVE-2023-52425](https://nvd.nist.gov/vuln/detail/CVE-2023-52425)
+[CVE-2023-52426⁠](https://nvd.nist.gov/vuln/detail/CVE-2023-52426)
+```
--- a/.go-version
+++ b/.go-version
@ -1 +1 @@
-1.21.7
+1.21.8
--- a/build-support/docker/Build-Go.dockerfile
+++ b/build-support/docker/Build-Go.dockerfile
@ -2,6 +2,6 @@
 # SPDX-License-Identifier: MPL-2.0

 ARG GOLANG_VERSION
-FROM golang:${GOLANG_VERSION}
+FROM golang:${GOLANG_VERSION}-alpine3.19

 WORKDIR /consul
 @ -1 +1 @@
 .21.7
 .21.8