From 8e9f98e72528ebbbdb2a681ad45aea4bcc1d3f2a Mon Sep 17 00:00:00 2001 From: Hui Wang Date: Tue, 9 Jul 2024 17:38:05 +0800 Subject: [PATCH] security: upgrade base docker image (Alpine) from 3.20.0 to 3.20.1 See https://www.alpinelinux.org/posts/Alpine-3.20.1-released.html >including security fixes for: OPENSSL [CVE-2024-4741](https://security.alpinelinux.org/vuln/CVE-2024-4741) BUSYBOX [CVE-2023-42364](https://security.alpinelinux.org/vuln/CVE-2023-42364) [CVE-2023-42365](https://security.alpinelinux.org/vuln/CVE-2023-42365) --- app/vmui/Dockerfile-web | 2 +- deployment/docker/Makefile | 4 ++-- docs/CHANGELOG.md | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/app/vmui/Dockerfile-web b/app/vmui/Dockerfile-web index 4420f396e7..79a98fb207 100644 --- a/app/vmui/Dockerfile-web +++ b/app/vmui/Dockerfile-web @@ -6,7 +6,7 @@ COPY web/ /build/ RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o web-amd64 github.com/VictoriMetrics/vmui/ && \ GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -o web-windows github.com/VictoriMetrics/vmui/ -FROM alpine:3.20.0 +FROM alpine:3.20.1 USER root COPY --from=build-web-stage /build/web-amd64 /app/web diff --git a/deployment/docker/Makefile b/deployment/docker/Makefile index 6a8279f7cb..00ee79f5f9 100644 --- a/deployment/docker/Makefile +++ b/deployment/docker/Makefile @@ -3,10 +3,10 @@ DOCKER_REGISTRY ?= docker.io DOCKER_NAMESPACE ?= victoriametrics -ROOT_IMAGE ?= alpine:3.20.0 +ROOT_IMAGE ?= alpine:3.20.1 ROOT_IMAGE_SCRATCH ?= scratch SKIP_SCRATCH_BUILD ?= false -CERTS_IMAGE := alpine:3.20.0 +CERTS_IMAGE := alpine:3.20.1 GO_BUILDER_IMAGE := golang:1.22.5-alpine BUILDER_IMAGE := local/builder:2.0.0-$(shell echo $(GO_BUILDER_IMAGE) | tr :/ __)-1 diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 9e6370034e..56c704a1cd 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -32,6 +32,7 @@ See also [LTS releases](https://docs.victoriametrics.com/lts-releases/). **Update note 1: support for snap packages was removed due to lack of interest from community. See this [pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/6543) for details. Please read about supported package types [here](https://docs.victoriametrics.com/#install).** * SECURITY: upgrade Go builder from Go1.22.4 to Go1.22.5. See the list of issues addressed in [Go1.22.5](https://github.com/golang/go/issues?q=milestone%3AGo1.22.5+label%3ACherryPickApproved). +* SECURITY: upgrade base docker image (Alpine) from 3.20.0 to 3.20.1. See [alpine 3.20.1 release notes](https://www.alpinelinux.org/posts/Alpine-3.20.1-released.html). * FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): allow overriding `Host` header with a target host before sending to a downstream. See this [issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/6453) * FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): reduces CPU usage by reusing request body buffer. Allows to disable requests caching with `-maxRequestBodySizeToRetry=0`. See this [PR](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/6533) for details.