Bump base bookworm image to 1.0.2

[dims]

Updated golang to 1.22 as well.

[rikatz]

/lgtm

on my lunch time and saw on twitter :P

[thockin]

Thanks!

/lgtm /approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims, norrs, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes/git-sync/blob/master/OWNERS)~~ [thockin] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[norrs]

@thockin : My idea was that this would fix https://security-tracker.debian.org/tracker/CVE-2023-45853 , but reading more in details in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054290 it seems like even tho zlib package itself does not build the minizip binary, it contains the sources for it that other source packages could vendor this again from zlib. In the bug report mentioned below, it seems like other packages have actually done this. 😅

I believe maybe https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054290#64 has released a fix for debian unstable and trixie (current what is defined as debian next upcoming stable release). But current stable debian bookworm is not currently patched with a backport of the fix.

Should we maybe request a backport upstream in debian for bookworm? Because currently the security-tracker has the following note: [bookworm] - zlib <ignored> (contrib/minizip not built and producing binary packages), so I'm a bit unsure if this will get a follow up if we don't ask about it?

[thockin]

We can ask - I am not an expert in this sort of assessment, so I usually defer to Debian baseimage owners