From 98cce1fc8963d129e2e3059dcf86c80d5b31087d Mon Sep 17 00:00:00 2001 From: hc-github-team-consul-core Date: Thu, 14 Mar 2024 10:07:43 -0400 Subject: [PATCH] Backport of [NET-8368] security: bump Go version to 1.21.8 into release/1.18.x (#20856) * backport of commit d65cacc7a67fb9c7be8546e138f4c8e1edcd4c72 * backport of commit 60ab1568ca9847df1ad05f138b6829e9e4ea0ca2 --------- Co-authored-by: dduzgun-security Co-authored-by: Chris S. Kim --- .changelog/20812.txt | 14 ++++++++++++++ .go-version | 2 +- build-support/docker/Build-Go.dockerfile | 2 +- 3 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 .changelog/20812.txt diff --git a/.changelog/20812.txt b/.changelog/20812.txt new file mode 100644 index 0000000000..6e4fb371b8 --- /dev/null +++ b/.changelog/20812.txt @@ -0,0 +1,14 @@ +```release-note:security +Upgrade to use Go `1.21.8`. This resolves CVEs +[CVE-2024-24783](https://nvd.nist.gov/vuln/detail/CVE-2024-24783) (`crypto/x509`). +[CVE-2023-45290](https://nvd.nist.gov/vuln/detail/CVE-2023-45290) (`net/http`). +[CVE-2023-45289](https://nvd.nist.gov/vuln/detail/CVE-2023-45289) (`net/http`, `net/http/cookiejar`). +[CVE-2024-24785](https://nvd.nist.gov/vuln/detail/CVE-2024-24785) (`html/template`). +[CVE-2024-24784](https://nvd.nist.gov/vuln/detail/CVE-2024-24784) (`net/mail`). +``` + +```release-note:security +Update the Consul Build Go base image to `alpine3.19`. This resolves CVEs +[CVE-2023-52425](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) +[CVE-2023-52426⁠](https://nvd.nist.gov/vuln/detail/CVE-2023-52426) +``` diff --git a/.go-version b/.go-version index 8819d012ce..428abfd24f 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.21.7 +1.21.8 diff --git a/build-support/docker/Build-Go.dockerfile b/build-support/docker/Build-Go.dockerfile index 056508da67..044f7439fc 100644 --- a/build-support/docker/Build-Go.dockerfile +++ b/build-support/docker/Build-Go.dockerfile @@ -2,6 +2,6 @@ # SPDX-License-Identifier: BUSL-1.1 ARG GOLANG_VERSION -FROM golang:${GOLANG_VERSION} +FROM golang:${GOLANG_VERSION}-alpine3.19 WORKDIR /consul