Merge pull request #316 from replicatedcom/divolgin/sc-88850/make-a-december-2023-heritage-release

divolgin · web-flow · commit 092986f8e243 · 2023-12-14T10:44:04.000-08:00
CVE fixes
diff --git a/.circleci/.anchore/grype.yaml b/.circleci/.anchore/grype.yaml
@@ -1,4 +1,7 @@
 ignore:
+  - vulnerability: CVE-2023-47038
+  - vulnerability: CVE-2023-5981
+
   # https://github.com/anchore/grype#specifying-matches-to-ignore
   # example to ignore a vulnerability
   # This is the full set of supported rule fields:
@@ -10,25 +13,19 @@ ignore:
   #     type: npm
   #     location: "/usr/local/lib/node_modules/**"
 
-- package:
-    type: go-module
+  - package:
+      type: go-module
 
-# google-cloud-sdk python vulns
-- vulnerability: GHSA-w7pp-m8wf-vj6r
-  package:
-    name: cryptography
-    version: 36.0.2
-    type: python
-    location: "/usr/lib/google-cloud-sdk/platform/bundledpythonunix/lib/**"
-- vulnerability: GHSA-x4qr-2fvf-3mr5
-  package:
-    name: cryptography
-    version: 36.0.2
-    type: python
-    location: "/usr/lib/google-cloud-sdk/platform/bundledpythonunix/lib/**"
-- vulnerability: GHSA-vvpx-j8f3-3w6h
-  package:
-    name: golang.org/x/net
-    version: v0.5.0
-    type: go-module
-    location: "/usr/lib/google-cloud-sdk/bin/**"
+  # google-cloud-sdk python vulns
+  - vulnerability: GHSA-jfhm-5ghh-2f97
+    package:
+      name: cryptography
+      version: 41.0.5
+      type: python
+      location: "/usr/lib/google-cloud-sdk/platform/bundledpythonunix/lib/**"
+  - vulnerability: GHSA-mq26-g339-26xf
+    package:
+      name: pip
+      version: 23.2.1
+      type: python
+      location: "/usr/lib/google-cloud-sdk/platform/bundledpythonunix/lib/**"
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -40,7 +40,7 @@ jobs:
     machine: true
     environment:
       GOPATH: /home/circleci/go
-      GO_SHA256SUM: 87fc728c9c731e2f74e4a999ef53cf07302d7ed3504b0839027bd9c10edaa3fd
+      GO_SHA256SUM: 9c5d48c54dd8b0a3b2ef91b0f92a1190aa01f11d26e98033efa64c46a30bba7b
       GO: /usr/local/go/bin/go
       GOCACHE: "/tmp/go/cache"
     steps:
@@ -49,7 +49,7 @@ jobs:
           keys:
             - support-bundle-e2e-build-cache-base
       - run: |
-          export GO_DOWNLOAD_URL=https://go.dev/dl/go1.17.10.linux-amd64.tar.gz
+          export GO_DOWNLOAD_URL=https://go.dev/dl/go1.20.12.linux-amd64.tar.gz
           export GOPATH=/home/circleci/go
           export GOROOT=/usr/local/go
           export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
diff --git a/deploy/Dockerfile-base b/deploy/Dockerfile-base
@@ -1,4 +1,4 @@
-FROM debian:buster-slim
+FROM debian:bookworm-slim
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update -y && apt-get install --no-install-recommends -y \
     ca-certificates \

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM debian:buster-slim`
	`1`	`+FROM debian:bookworm-slim`
`2`	`2`	`ENV DEBIAN_FRONTEND=noninteractive`
`3`	`3`	`RUN apt-get update -y && apt-get install --no-install-recommends -y \`
`4`	`4`	`ca-certificates \`