[nats] Release v2.9.21

[bruth]

Details can be found here

[yosifkit]

• apk add --upgrade libcrypto3 libssl3; \

We recommend against using package upgrades (apt-get upgrade/apk upgrade/yum upgrade/yum update) for official-images. When package upgrades are applied in a dependent image, it duplicates content of the base image, making the image larger than necessary. It also only delays the inevitable "there are outdated packages". The Official Images build pipeline makes heavy use of docker build cache, so we make periodic base image updates to then fully rebuild all dependent images (e.g. the Debian image updates).

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need, e.g. docker-library/official-images#2171. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule. These refreshed base images also means that any other image in the Official Images program that is FROM them will also be rebuilt (as described in the project README.md file).

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

[bruth]

@yosifkit The reason we added this line was due to some vulnerabilities found in the current Alpine image. Upgrading the packages resolves these for scanners. See this comment for context: nats-io/nats-docker#115 (comment)

If it is still a no-go, then I will remove the line and update the PR.

[bruth]

Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule. These refreshed base images also means that any other image in the Official Images program that is FROM them will also be rebuilt (as described in the project README.md file).

Re-reading, so once the alpine image is updated, the NATS images will automatically be rebuilt with the latest patch (since we built on 3.18)?

[bruth]

@yosifkit Let us know what the preferred path is here, so we can remediate and get the images up on Docker Hub.

[yosifkit]

Re-reading, so once the alpine image is updated, the NATS images will automatically be rebuilt with the latest patch (since we built on 3.18)?

Correct, which will happen with #15156. So, please drop the apk upgrade.

[bruth]

@yosifkit Updated. Referenced commit: nats-io/nats-docker@36c7375

[github-actions]

Diff for fce67dc:

diff --git a/_bashbrew-cat b/_bashbrew-cat
index 357e408..ccb7347 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -1,25 +1,25 @@
 Maintainers: Derek Collison <derek@synadia.com> (@derekcollison), Waldemar Quevedo Salinas <wally@synadia.com> (@wallyqs), Byron Ruth <byron@synadia.com> (@bruth), Neil Twigg <neil@synadia.com> (@neilalexander), Phil Pennock <pdp@synadia.com> (@philpennock)
 GitRepo: https://github.com/nats-io/nats-docker.git
 GitFetch: refs/heads/main
-GitCommit: 6ee3723373975f65c7b446e20d4a938a5c5a5567
+GitCommit: 36c73754f3d7b2b2e69a0c4680a48636929012cc
 
-Tags: 2.9.20-alpine3.18, 2.9-alpine3.18, 2-alpine3.18, alpine3.18, 2.9.20-alpine, 2.9-alpine, 2-alpine, alpine
+Tags: 2.9.21-alpine3.18, 2.9-alpine3.18, 2-alpine3.18, alpine3.18, 2.9.21-alpine, 2.9-alpine, 2-alpine, alpine
 Architectures: amd64, arm32v6, arm32v7, arm64v8
-Directory: 2.9.20/alpine3.18
+Directory: 2.9.21/alpine3.18
 
-Tags: 2.9.20-nanoserver-1809, 2.9-nanoserver-1809, 2-nanoserver-1809, nanoserver-1809
-SharedTags: 2.9.20-nanoserver, 2.9-nanoserver, 2-nanoserver, nanoserver, 2.9.20, 2.9, 2, latest
+Tags: 2.9.21-nanoserver-1809, 2.9-nanoserver-1809, 2-nanoserver-1809, nanoserver-1809
+SharedTags: 2.9.21-nanoserver, 2.9-nanoserver, 2-nanoserver, nanoserver, 2.9.21, 2.9, 2, latest
 Architectures: windows-amd64
-Directory: 2.9.20/nanoserver-1809
+Directory: 2.9.21/nanoserver-1809
 Constraints: nanoserver-1809, windowsservercore-1809
 
-Tags: 2.9.20-scratch, 2.9-scratch, 2-scratch, scratch, 2.9.20-linux, 2.9-linux, 2-linux, linux
-SharedTags: 2.9.20, 2.9, 2, latest
+Tags: 2.9.21-scratch, 2.9-scratch, 2-scratch, scratch, 2.9.21-linux, 2.9-linux, 2-linux, linux
+SharedTags: 2.9.21, 2.9, 2, latest
 Architectures: amd64, arm32v6, arm32v7, arm64v8
-Directory: 2.9.20/scratch
+Directory: 2.9.21/scratch
 
-Tags: 2.9.20-windowsservercore-1809, 2.9-windowsservercore-1809, 2-windowsservercore-1809, windowsservercore-1809
-SharedTags: 2.9.20-windowsservercore, 2.9-windowsservercore, 2-windowsservercore, windowsservercore
+Tags: 2.9.21-windowsservercore-1809, 2.9-windowsservercore-1809, 2-windowsservercore-1809, windowsservercore-1809
+SharedTags: 2.9.21-windowsservercore, 2.9-windowsservercore, 2-windowsservercore, windowsservercore
 Architectures: windows-amd64
-Directory: 2.9.20/windowsservercore-1809
+Directory: 2.9.21/windowsservercore-1809
 Constraints: windowsservercore-1809
diff --git a/_bashbrew-list b/_bashbrew-list
index 82d8052..ab3a017 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -16,15 +16,15 @@ nats:2.9-nanoserver-1809
 nats:2.9-scratch
 nats:2.9-windowsservercore
 nats:2.9-windowsservercore-1809
-nats:2.9.20
-nats:2.9.20-alpine
-nats:2.9.20-alpine3.18
-nats:2.9.20-linux
-nats:2.9.20-nanoserver
-nats:2.9.20-nanoserver-1809
-nats:2.9.20-scratch
-nats:2.9.20-windowsservercore
-nats:2.9.20-windowsservercore-1809
+nats:2.9.21
+nats:2.9.21-alpine
+nats:2.9.21-alpine3.18
+nats:2.9.21-linux
+nats:2.9.21-nanoserver
+nats:2.9.21-nanoserver-1809
+nats:2.9.21-scratch
+nats:2.9.21-windowsservercore
+nats:2.9.21-windowsservercore-1809
 nats:alpine
 nats:alpine3.18
 nats:latest
diff --git a/nats_alpine/Dockerfile b/nats_alpine/Dockerfile
index f8a0b91..a9822e4 100644
--- a/nats_alpine/Dockerfile
+++ b/nats_alpine/Dockerfile
@@ -1,22 +1,22 @@
 FROM alpine:3.18
 
-ENV NATS_SERVER 2.9.20
+ENV NATS_SERVER 2.9.21
 
 RUN set -eux; \
 	apkArch="$(apk --print-arch)"; \
 	case "$apkArch" in \
-		aarch64) natsArch='arm64'; sha256='59ebc51e99fd97f92b8ecf3d0ee566aef9e133c2fc0a981e0522c105490c2e99' ;; \
-		armhf) natsArch='arm6'; sha256='c27abedca49baf59799630505f9e37ae22dc9ec644f0a645537e1b5d33221491' ;; \
-		armv7) natsArch='arm7'; sha256='fdd51a5c3ed7d47ef5efae1e9861e317df37e385205e45df63c35968650e59e4' ;; \
-		x86_64) natsArch='amd64'; sha256='626288430030b63a05b1fa79aa6ed84344c29ae78808e62b078add906d77f138' ;; \
-		x86) natsArch='386'; sha256='7db99a9d9e2b87304dab0745409b51dbb1a366705b0d08bc7da5ad025e30140e' ;; \
+		aarch64) natsArch='arm64'; sha256='6c2906b5a3b930e842c0a88772b5f484e962ac342f57852a45b1c5a7e10f2197' ;; \
+		armhf) natsArch='arm6'; sha256='424576d72c1f3b5bd309254d0d0462e21b4aaf6b85defcf6663128294b15c16f' ;; \
+		armv7) natsArch='arm7'; sha256='3ee6e4db568311c6832b1ec4d76933cc8ee1a783281ed89da5ebe6f602d1c521' ;; \
+		x86_64) natsArch='amd64'; sha256='2bd2878a63efa5bc9b9c3f1d43fd953c7e14b22ba540f7dea19f7fb3a803215d' ;; \
+		x86) natsArch='386'; sha256='6eef61e4a81fb03f47ef8bfe08eab6909846a3404db28b4260630385dc27910f' ;; \
 		*) echo >&2 "error: $apkArch is not supported!"; exit 1 ;; \
 	esac; \
 	\
 	wget -O nats-server.tar.gz "https://github.com/nats-io/nats-server/releases/download/v${NATS_SERVER}/nats-server-v${NATS_SERVER}-linux-${natsArch}.tar.gz"; \
 	echo "${sha256} *nats-server.tar.gz" | sha256sum -c -; \
 	\
-	apk add --no-cache ca-certificates; \
+	apk add --no-cache ca-certificates tzdata; \
 	\
 	tar -xf nats-server.tar.gz; \
 	rm nats-server.tar.gz; \
diff --git a/nats_linux/Dockerfile b/nats_linux/Dockerfile
index dba06a8..b4d8ee2 100644
--- a/nats_linux/Dockerfile
+++ b/nats_linux/Dockerfile
@@ -1,5 +1,5 @@
 FROM scratch
-COPY --from=nats:2.9.20-alpine3.18 /usr/local/bin/nats-server /nats-server
+COPY --from=nats:2.9.21-alpine3.18 /usr/local/bin/nats-server /nats-server
 COPY nats-server.conf /nats-server.conf
 EXPOSE 4222 8222 6222
 ENV PATH="$PATH:/"
diff --git a/nats_nanoserver-1809/Dockerfile b/nats_nanoserver-1809/Dockerfile
index c448e80..3b59c1d 100644
--- a/nats_nanoserver-1809/Dockerfile
+++ b/nats_nanoserver-1809/Dockerfile
@@ -2,7 +2,7 @@ FROM mcr.microsoft.com/windows/nanoserver:1809
 
 ENV NATS_DOCKERIZED 1
 
-COPY --from=nats:2.9.20-windowsservercore-1809 C:\\nats-server.exe C:\\nats-server.exe
+COPY --from=nats:2.9.21-windowsservercore-1809 C:\\nats-server.exe C:\\nats-server.exe
 COPY nats-server.conf C:\\nats-server.conf
 
 EXPOSE 4222 8222 6222
diff --git a/nats_windowsservercore-1809/Dockerfile b/nats_windowsservercore-1809/Dockerfile
index 666ce98..6b3a602 100644
--- a/nats_windowsservercore-1809/Dockerfile
+++ b/nats_windowsservercore-1809/Dockerfile
@@ -4,9 +4,9 @@ FROM mcr.microsoft.com/windows/servercore:1809
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop';"]
 
 ENV NATS_DOCKERIZED 1
-ENV NATS_SERVER 2.9.20
+ENV NATS_SERVER 2.9.21
 ENV NATS_SERVER_DOWNLOAD https://github.com/nats-io/nats-server/releases/download/v${NATS_SERVER}/nats-server-v${NATS_SERVER}-windows-amd64.zip
-ENV NATS_SERVER_SHASUM 6dd2f4648c3b5f7c0b0a2fc492ecd2263d3dfb22ea5cf2d0c018a82f0e912b35
+ENV NATS_SERVER_SHASUM 43df40bcf81e819e3467a31c548643439d4200486f3032c61ae4b134243f8796
 
 RUN Set-PSDebug -Trace 2

Relevant Maintainers:

• nats: @derekcollison @wallyqs @bruth @neilalexander @philpennock