From 8ee439362c7d5d3a00f9397c9416e7c5bb0a4986 Mon Sep 17 00:00:00 2001
From: Michael Wilkerson <mwilkerson@hashicorp.com>
Date: Thu, 2 Mar 2023 09:58:34 -0800
Subject: [PATCH 1/2] updated go version to fix cve https://go.dev/issue/58001

---
 .circleci/config.yml     | 8 ++++----
 .go-version              | 2 +-
 control-plane/Dockerfile | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index e97a1fbd4e..063ed53a35 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -6,7 +6,7 @@ orbs:
 executors:
   go:
     docker:
-      - image: docker.mirror.hashicorp.services/cimg/go:1.19.2
+      - image: docker.mirror.hashicorp.services/cimg/go:1.19.6
     environment:
       TEST_RESULTS: /tmp/test-results # path to where test results are saved
 
@@ -34,9 +34,9 @@ commands:
       - run:
           name: Install go, gotestsum, kind, kubectl, and helm
           command: |
-            wget https://golang.org/dl/go1.19.2.linux-amd64.tar.gz
-            sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.19.2.linux-amd64.tar.gz
-            rm go1.19.2.linux-amd64.tar.gz
+            wget https://golang.org/dl/go1.19.6.linux-amd64.tar.gz
+            sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.19.6.linux-amd64.tar.gz
+            rm go1.19.6.linux-amd64.tar.gz
             echo 'export PATH=$PATH:/usr/local/go/bin' >> $BASH_ENV
 
             wget https://github.com/gotestyourself/gotestsum/releases/download/v1.8.2/gotestsum_1.8.2_linux_amd64.tar.gz
diff --git a/.go-version b/.go-version
index 836ae4eda2..2a4feaf54c 100644
--- a/.go-version
+++ b/.go-version
@@ -1 +1 @@
-1.19.2
+1.19.6
diff --git a/control-plane/Dockerfile b/control-plane/Dockerfile
index 850cdd42c6..e2391e18a5 100644
--- a/control-plane/Dockerfile
+++ b/control-plane/Dockerfile
@@ -13,7 +13,7 @@
 
 # go-discover builds the discover binary (which we don't currently publish
 # either).
-FROM golang:1.19.2-alpine as go-discover
+FROM golang:1.19.6-alpine as go-discover
 RUN CGO_ENABLED=0 go install github.com/hashicorp/go-discover/cmd/discover@49f60c093101c9c5f6b04d5b1c80164251a761a6
 
 # dev copies the binary from a local build

From 4f266a3cb4f18d5148facf99204ff4314904a59d Mon Sep 17 00:00:00 2001
From: Michael Wilkerson <mwilkerson@hashicorp.com>
Date: Thu, 2 Mar 2023 10:00:53 -0800
Subject: [PATCH 2/2] added changelog

---
 .changelog/1976.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .changelog/1976.txt

diff --git a/.changelog/1976.txt b/.changelog/1976.txt
new file mode 100644
index 0000000000..65024aa6f9
--- /dev/null
+++ b/.changelog/1976.txt
@@ -0,0 +1,3 @@
+```release-note:security
+upgrade to use Go 1.19.6. This resolves vulnerabilities CVE-2022-41724 in crypto/tls and CVE-2022-41723 in net/http.
+```
\ No newline at end of file