Bugfix release to fix CVE-2023-24538 (#4795)

* Bugfix release to fix CVE-2023-24538

* Update CHANGELOG.md

* Update v2.7.md

* make build-jsonnet-tests

---------

Co-authored-by: Arve Knudsen <[email protected]>

Author: aldernero

.github/workflows/compare-helm-with-jsonnet.yml

@@ -16,7 +16,7 @@ jobs:
     - uses: actions/checkout@v3
     - uses: actions/setup-go@v3
       with:
-        go-version: '1.20.1'
+        go-version: '1.20.3'
     - uses: helm/[email protected]
     - name: Download yq
       uses: dsaltares/fetch-gh-release-asset@d9376dacd30fd38f49238586cd2e9295a8307f4c

.github/workflows/helm-ci.yml

@@ -18,7 +18,7 @@ jobs:
   conftest:
     runs-on: ubuntu-latest
     container:
-      image: grafana/mimir-build-image:goupdate-751733fe1
+      image: grafana/mimir-build-image:chore-upgrade-go-1203-5c4c29f01
     steps:
       - name: Check out repository
         uses: actions/checkout@v3

.github/workflows/test-build-deploy.yml

@@ -20,7 +20,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     container:
-      image: grafana/mimir-build-image:goupdate-751733fe1
+      image: grafana/mimir-build-image:chore-upgrade-go-1203-5c4c29f01
     steps:
       - name: Check out repository
         uses: actions/checkout@v3
@@ -64,7 +64,7 @@ jobs:
   lint-jsonnet:
     runs-on: ubuntu-latest
     container:
-      image: grafana/mimir-build-image:goupdate-72d66708c
+      image: grafana/mimir-build-image:chore-upgrade-go-1203-5c4c29f01
     steps:
       - name: Check out repository
         uses: actions/checkout@v3
@@ -90,7 +90,7 @@ jobs:
   lint-helm:
     runs-on: ubuntu-latest
     container:
-      image: grafana/mimir-build-image:goupdate-751733fe1
+      image: grafana/mimir-build-image:chore-upgrade-go-1203-5c4c29f01
     steps:
       - name: Check out repository
         uses: actions/checkout@v3
@@ -119,7 +119,7 @@ jobs:
         test_group_id:    [0, 1, 2, 3]
         test_group_total: [4]
     container:
-      image: grafana/mimir-build-image:goupdate-751733fe1
+      image: grafana/mimir-build-image:chore-upgrade-go-1203-5c4c29f01
     steps:
       - name: Check out repository
         uses: actions/checkout@v3
@@ -154,7 +154,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     container:
-      image: grafana/mimir-build-image:goupdate-751733fe1
+      image: grafana/mimir-build-image:chore-upgrade-go-1203-5c4c29f01
     steps:
       - name: Check out repository
         uses: actions/checkout@v3
@@ -198,7 +198,7 @@ jobs:
       - name: Upgrade golang
         uses: actions/setup-go@v3
         with:
-          go-version: 1.20.1
+          go-version: 1.20.3
       - name: Check out repository
         uses: actions/checkout@v3
       - name: Run Git Config
@@ -244,7 +244,7 @@ jobs:
     if: (startsWith(github.ref, 'refs/tags/') || startsWith(github.ref, 'refs/heads/r') ) && github.event_name == 'push' && github.repository == 'grafana/mimir'
     runs-on: ubuntu-latest
     container:
-      image: grafana/mimir-build-image:goupdate-751733fe1
+      image: grafana/mimir-build-image:chore-upgrade-go-1203-5c4c29f01
     steps:
       - name: Check out repository
         uses: actions/checkout@v3

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 2.7.2
+
+### Grafana Mimir
+
+* [BUGFIX] Security: updated Go version to 1.20.3 to fix CVE-2023-24538 #4795
+
 ## 2.7.1
 
 **Note**: During the release process, version 2.7.0 was tagged too early, before completing the release checklist and production testing. Release 2.7.1 doesn't include any code changes since 2.7.0, but now has proper release notes, published documentation, and has been fully tested in our production environment.

Makefile

@@ -178,7 +178,7 @@ mimir-build-image/$(UPTODATE): mimir-build-image/*
 # All the boiler plate for building golang follows:
 SUDO := $(shell docker info >/dev/null 2>&1 || echo "sudo -E")
 BUILD_IN_CONTAINER ?= true
-LATEST_BUILD_IMAGE_TAG ?= goupdate-751733fe1
+LATEST_BUILD_IMAGE_TAG ?= chore-upgrade-go-1203-5c4c29f01
 
 # TTY is parameterized to allow Google Cloud Builder to run builds,
 # as it currently disallows TTY devices. This value needs to be overridden

VERSION

@@ -1 +1 @@
-2.7.1
+2.7.2

development/mimir-microservices-mode/dev.dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.20.1
+FROM golang:1.20.3
 ENV CGO_ENABLED=0
 RUN go install github.com/go-delve/delve/cmd/[email protected]
 

development/mimir-read-write-mode/dev.dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.20.1
+FROM golang:1.20.3
 ENV CGO_ENABLED=0
 RUN go install github.com/go-delve/delve/cmd/[email protected]
 

docs/sources/mimir/release-notes/v2.7.md

@@ -79,3 +79,4 @@ In Grafana Mimir 2.7, the following options, metrics, and labels have been remov
 - Ingester: conversion of global limits max-series-per-user, max-series-per-metric, max-metadata-per-user and max-metadata-per-metric into corresponding local limits now takes into account the number of ingesters in each zone. [PR 4238](https://github.com/grafana/mimir/pull/4238)
 - Ingester: track cortex_ingester_memory_series metric consistently with cortex_ingester_memory_series_created_total and cortex_ingester_memory_series_removed_total. [PR 4312](https://github.com/grafana/mimir/pull/4312)
 - Querier: fixed a bug which was incorrectly matching series with regular expression label matchers with begin/end anchors in the middle of the regular expression. [PR 4340](https://github.com/grafana/mimir/pull/4340)
+- Security: updated the Go version to 1.20.3 to fix CVE-2023-24538. [PR 4795](https://github.com/grafana/mimir/pull/4795)

mimir-build-image/Dockerfile

@@ -5,7 +5,7 @@
 
 FROM k8s.gcr.io/kustomize/kustomize:v4.5.5 as kustomize
 FROM alpine/helm:3.11.1 as helm
-FROM golang:1.20.1-bullseye
+FROM golang:1.20.3-bullseye
 ARG goproxyValue
 ENV GOPROXY=${goproxyValue}
 ENV SKOPEO_DEPS="libgpgme-dev libassuan-dev libbtrfs-dev libdevmapper-dev pkg-config"