fix: Backport of Alpine 3.19 to release/v1.19

[kaiwalyajoshi]

We're currently using gitea:1.19.x and our security scanners have detected the Critical CVE-2023-38545 found in the base alpine:3.17 image.

This CVE has been fixed in the main branch via #28594.

This PR backports the fixes to the release/v1.19 branches.

This PR also bumps github.com/mattn/go-sqlite3 to v1.14.9 due to a build break which was fixed by go-sqlite3, a similar bump is introduced in main via #28518

For testing, issuing a make test passes and running a trivy image docker.io/gitea/gitea:latest shows the Critical CVEs are no longer present with alpine:3.19 as of writingthis PR.

We'd like to request the release of a new gitea:1.19.x release on the successful merge of this PR.

[kaiwalyajoshi]

This is my first PR to gitea, so please guide me if I have gotten something wrong.

[delvh]

If I understand the problem correctly, Gitea is unaffected as gitea is not curl, and we don't use curl anywhere.
I don't think we need to fix this security issue without impact.
See also https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/.

[kaiwalyajoshi]

@delvh yes that is correct.
Gitea does not use curl/libcurl, but there's a vulnerability within the base alpine image via curl/libcurl.
This PR addresses that with a bump of alpine which has the updated version of curl/libcurl.

[kaiwalyajoshi]

Updated title to clarify backport.

[KN4CK3R]

I don't think we will release a new 1.19.x version.

[techknowlogick]

Yes, 1.19 (and 1.20 for that matter) are EOL. If an LTS version is of interest to you, one of my goals for the upcoming year is to introduce one.
However, if you are concerned re:security, I'd suggest going to 1.21 right away.
If you have a business need to stay on 1.19 you can reach out to CommitGo, a company founded by some TOC members to offer support services at [email protected], and we can assist you in that, along with backporting the other security patches.