From 44538b35a1ad1f12f519a370a312c338bd3f9e09 Mon Sep 17 00:00:00 2001 From: Alexander Marshalov <_@marshalov.org> Date: Tue, 28 May 2024 19:36:15 +0200 Subject: [PATCH] Update base Alpine image to 3.20.0 to avoid security risks (#6370) fixes: CVE-2023-42366, CVE-2023-42363, CVE-2024-4603, CVE-2024-2511, CVE-2024-24788, CVE-2024-24787 (cherry picked from commit a6cc7098fe3238e6eb56769f9008196740c1d8fd) --- app/vmui/Dockerfile-web | 2 +- deployment/docker/Makefile | 4 ++-- docs/CHANGELOG.md | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/app/vmui/Dockerfile-web b/app/vmui/Dockerfile-web index b9af50e420..19276f4c7a 100644 --- a/app/vmui/Dockerfile-web +++ b/app/vmui/Dockerfile-web @@ -6,7 +6,7 @@ COPY web/ /build/ RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o web-amd64 github.com/VictoriMetrics/vmui/ && \ GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -o web-windows github.com/VictoriMetrics/vmui/ -FROM alpine:3.19.1 +FROM alpine:3.20.0 USER root COPY --from=build-web-stage /build/web-amd64 /app/web diff --git a/deployment/docker/Makefile b/deployment/docker/Makefile index 700e7c3339..76d373d3ff 100644 --- a/deployment/docker/Makefile +++ b/deployment/docker/Makefile @@ -2,8 +2,8 @@ DOCKER_NAMESPACE ?= victoriametrics -ROOT_IMAGE ?= alpine:3.19.1 -CERTS_IMAGE := alpine:3.19.1 +ROOT_IMAGE ?= alpine:3.20.0 +CERTS_IMAGE := alpine:3.20.0 GO_BUILDER_IMAGE := golang:1.22.3-alpine BUILDER_IMAGE := local/builder:2.0.0-$(shell echo $(GO_BUILDER_IMAGE) | tr :/ __)-1 diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 761d629c41..e3eecd60e7 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -12,6 +12,7 @@ The following `tip` changes can be tested by building VictoriaMetrics components ## v1.93.x long-time support release (LTS) * SECURITY: upgrade Go builder from Go1.22.2 to Go1.22.3. See [the list of issues addressed in Go1.22.3](https://github.com/golang/go/issues?q=milestone%3AGo1.22.3+label%3ACherryPickApproved). +* SECURITY: upgrade base docker image (Alpine) from 3.19.1 to 3.20.0. See [alpine 3.20.0 release notes](https://www.alpinelinux.org/posts/Alpine-3.20.0-released.html). * BUGFIX: [vmui](https://docs.victoriametrics.com/#vmui): fix calendar display when `UTC+00:00` timezone is set. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/6239). * BUGFIX: [vmagent](https://docs.victoriametrics.com/vmagent/): skip empty data blocks before sending to the remote write destination. Thanks to @viperstars for [the pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/6241).