Backport of Update alpine to 3.18 to fix CVE-2023-2650 into release/1…

….0.x (#2286) * backport of commit ddec233 * backport of commit 5ca4d15 * backport of commit c073a1d --------- Co-authored-by: Curt Bushko <cbushko@gmail.com>
hashicorp · Jun 6, 2023 · f79960b · f79960b
1 parent 03ecd62
commit f79960b
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/.changelog/2284.txt b/.changelog/2284.txt
@@ -0,0 +1,3 @@
+```release-note:security
+Bump Dockerfile base image to `alpine:3.18`. Resolves [CVE-2023-2650](https://github.com/advisories/GHSA-gqxg-9vfr-p9cg) vulnerability in openssl@3.0.8-r4
+```
diff --git a/control-plane/Dockerfile b/control-plane/Dockerfile
@@ -19,7 +19,7 @@ RUN CGO_ENABLED=0 go install github.com/hashicorp/go-discover/cmd/discover@49f60
 # dev copies the binary from a local build
 # -----------------------------------
 # BIN_NAME is a requirement in the hashicorp docker github action 
-FROM alpine:3.17 AS dev
+FROM alpine:3.18 AS dev
 
 # NAME and VERSION are the name of the software in releases.hashicorp.com
 # and the version to download. Example: NAME=consul VERSION=1.2.3.
@@ -71,7 +71,7 @@ CMD /bin/${BIN_NAME}
 # We don't rebuild the software because we want the exact checksums and
 # binary signatures to match the software and our builds aren't fully
 # reproducible currently.
-FROM alpine:3.17 AS release-default
+FROM alpine:3.18 AS release-default
 
 ARG BIN_NAME=consul-k8s-control-plane
 ARG CNI_BIN_NAME=consul-cni