Merge pull request #4633 from telefonicaid/hardening/upgrade-dependen…

…cies FIX upgrade dependencies
telefonicaid · Nov 7, 2024 · ae1c68c · ae1c68c
2 parents 4f38622 + 1cfa741
commit ae1c68c
Show file tree

Hide file tree

Showing 7 changed files with 70 additions and 67 deletions.
diff --git a/CHANGES_NEXT_RELEASE b/CHANGES_NEXT_RELEASE
@@ -1,2 +1,5 @@
 - Fix: improve attribute and metadata invalid format dates for DateTime types in logs (#4616)
+- Hardening: upgrade microhttpd dependency from 0.9.76 to 1.0.1
+- Hardening: upgrade libmosquitto dependency from 2.0.15 to 2.0.20
+- Hardening: upgrade libmongoc dependency from 1.24.3 to 1.29.0
 - Upgrade Debian version from 12.6 to 12.7 in Dockerfile
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -231,8 +231,8 @@ SET (BOOST_MT
 
 # See http://mongoc.org/libmongoc/current/tutorial.html#cmake
 # This find_package() command provides the mongo::mongoc_static used in
-# SET for common static libs. We use 1.24.3 as reference version.
-find_package (mongoc-1.0 1.24.3 EXACT)
+# SET for common static libs. We use 1.29.0 as reference version.
+find_package (mongoc-1.0 1.29.0 EXACT)
 
 # Is cjexl lib available?
 find_library (HAVE_CJEXL cjexl PATHS /usr/lib /usr/lib64 /usr/local/lib64 /usr/local/lib)

diff --git a/ci/deb/build-dep.sh b/ci/deb/build-dep.sh
@@ -68,8 +68,8 @@ echo "INSTALL: python special dependencies" \
 # Recommended setting for DENABLE_AUTOMATIC_INIT_AND_CLEANUP, to be removed in 2.0.0
 # see http://mongoc.org/libmongoc/current/init-cleanup.html#deprecated-feature-automatic-initialization-and-cleanup
 echo "INSTALL: mongodb c driver" \
-&& curl -L https://github.com/mongodb/mongo-c-driver/releases/download/1.24.3/mongo-c-driver-1.24.3.tar.gz | tar xzC /opt/ \
-&& cd /opt/mongo-c-driver-1.24.3 \
+&& curl -L https://github.com/mongodb/mongo-c-driver/releases/download/1.29.0/mongo-c-driver-1.29.0.tar.gz | tar xzC /opt/ \
+&& cd /opt/mongo-c-driver-1.29.0 \
 && mkdir cmake-build \
 && cd cmake-build \
 && cmake -DENABLE_AUTOMATIC_INIT_AND_CLEANUP=OFF .. \
@@ -81,8 +81,8 @@ echo "INSTALL: rapidjson" \
 && mv /opt/rapidjson-1.1.0/include/rapidjson/ /usr/local/include
 
 echo "INSTALL: libmicrohttpd" \
-&& curl -L https://ftp.gnu.org/gnu/libmicrohttpd/libmicrohttpd-0.9.76.tar.gz | tar xzC /opt/ \
-&& cd /opt/libmicrohttpd-0.9.76  \
+&& curl -L https://ftp.gnu.org/gnu/libmicrohttpd/libmicrohttpd-1.0.1.tar.gz | tar xzC /opt/ \
+&& cd /opt/libmicrohttpd-1.0.1  \
 && ./configure --disable-messages --disable-postprocessor --disable-dauth  \
 && make \
 && make install
@@ -96,8 +96,8 @@ echo "INSTALL: gmock" \
 && make install
 
 echo "INSTALL: mosquitto" \
-&& curl -kL https://mosquitto.org/files/source/mosquitto-2.0.15.tar.gz | tar xzC /opt/ \
-&& cd /opt/mosquitto-2.0.15 \
+&& curl -kL https://mosquitto.org/files/source/mosquitto-2.0.20.tar.gz | tar xzC /opt/ \
+&& cd /opt/mosquitto-2.0.20 \
 && sed -i 's/WITH_CJSON:=yes/WITH_CJSON:=no/g' config.mk \
 && sed -i 's/WITH_STATIC_LIBRARIES:=no/WITH_STATIC_LIBRARIES:=yes/g' config.mk \
 && sed -i 's/WITH_SHARED_LIBRARIES:=yes/WITH_SHARED_LIBRARIES:=no/g' config.mk \
@@ -107,8 +107,8 @@ echo "INSTALL: mosquitto" \
 ldconfig
 
 apt-get -y clean \
-&& rm -Rf /opt/mongo-c-driver-1.24.3 \
+&& rm -Rf /opt/mongo-c-driver-1.29.0 \
 && rm -Rf /opt/rapidjson-1.1.0 \
-&& rm -Rf /opt/libmicrohttpd-0.9.76 \
-&& rm -Rf /opt/mosquitto-2.0.15 \
+&& rm -Rf /opt/libmicrohttpd-1.0.1 \
+&& rm -Rf /opt/mosquitto-2.0.20 \
 && rm -Rf /opt/gmock-1.5.0
diff --git a/doc/manuals.jp/admin/build_source.md b/doc/manuals.jp/admin/build_source.md
@@ -11,12 +11,12 @@ Orion Context Broker のリファレンス配布は Debian 12 です。これは
 Orion Context Broker は、以下のライブラリをビルドの依存関係として使用します :
 
 * boost: 1.74
-* libmicrohttpd: 0.9.76 (ソースから)
+* libmicrohttpd: 1.0.1 (ソースから)
 * libcurl: 7.88.1
 * openssl: 3.0.14
 * libuuid: 2.38.1
-* libmosquitto: 2.0.15 (ソースから)
-* Mongo C driver: 1.24.3 (ソースから)
+* libmosquitto: 2.0.20 (ソースから)
+* Mongo C driver: 1.29.0 (ソースから)
 * rapidjson: 1.1.0 (ソースから)
 * gtest (`make unit_test` ビルディング・ターゲットのみ) : 1.5 (ソースから)
 * gmock (`make unit_test` ビルディング・ターゲットのみ) : 1.5 (ソースから)
@@ -33,9 +33,9 @@ Orion Context Broker は、以下のライブラリをビルドの依存関係
 
 * ソースから Mongo Driver をインストールします
 
-        wget https://github.com/mongodb/mongo-c-driver/releases/download/1.24.3/mongo-c-driver-1.24.3.tar.gz
-        tar xfvz mongo-c-driver-1.24.3.tar.gz
-        cd mongo-c-driver-1.24.3
+        wget https://github.com/mongodb/mongo-c-driver/releases/download/1.29.0/mongo-c-driver-1.29.0.tar.gz
+        tar xfvz mongo-c-driver-1.29.0.tar.gz
+        cd mongo-c-driver-1.29.0
         mkdir cmake-build
         cd cmake-build
         cmake -DENABLE_AUTOMATIC_INIT_AND_CLEANUP=OFF ..
@@ -50,19 +50,19 @@ Orion Context Broker は、以下のライブラリをビルドの依存関係
 
 * ソースから libmicrohttpd をインストールします (`./configure` 下のコマンドはライブラリの最小限のフットプリントを得るための推奨ビルド設定を示していますが、上級ユーザの方は好きなように設定できます)
 
-        wget https://ftp.gnu.org/gnu/libmicrohttpd/libmicrohttpd-0.9.76.tar.gz
-        tar xvf libmicrohttpd-0.9.76.tar.gz
-        cd libmicrohttpd-0.9.76
+        wget https://ftp.gnu.org/gnu/libmicrohttpd/libmicrohttpd-1.0.1.tar.gz
+        tar xvf libmicrohttpd-1.0.1.tar.gz
+        cd libmicrohttpd-1.0.1
         ./configure --disable-messages --disable-postprocessor --disable-dauth
         make
         sudo make install  # installation puts .h files in /usr/local/include and library in /usr/local/lib
         sudo ldconfig      # just in case... it doesn't hurt :)
 
-* ソースから mosquitto をインストールします (WITH_CJSON, WITH_STATIC_LIBRARIES, WITH_SHARED_LIBRARIES の設定を変更することで、mosquitto-2.0.15/ の下の config.mk ファイルを変更してビルドを微調整できます)
+* ソースから mosquitto をインストールします (WITH_CJSON, WITH_STATIC_LIBRARIES, WITH_SHARED_LIBRARIES の設定を変更することで、mosquitto-2.0.20/ の下の config.mk ファイルを変更してビルドを微調整できます)
 
-        wget https://mosquitto.org/files/source/mosquitto-2.0.15.tar.gz
-        tar xvf mosquitto-2.0.15.tar.gz
-        cd mosquitto-2.0.15
+        wget https://mosquitto.org/files/source/mosquitto-2.0.20.tar.gz
+        tar xvf mosquitto-2.0.20.tar.gz
+        cd mosquitto-2.0.20
         sed -i 's/WITH_CJSON:=yes/WITH_CJSON:=no/g' config.mk
         sed -i 's/WITH_STATIC_LIBRARIES:=no/WITH_STATIC_LIBRARIES:=yes/g' config.mk
         sed -i 's/WITH_SHARED_LIBRARIES:=yes/WITH_SHARED_LIBRARIES:=no/g' config.mk

diff --git a/doc/manuals/admin/build_source.md b/doc/manuals/admin/build_source.md
@@ -11,12 +11,12 @@ You can also have a look to [3.1 Building in not official distributions](../../.
 The Orion Context Broker uses the following libraries as build dependencies:
 
 * boost: 1.74
-* libmicrohttpd: 0.9.76 (from source)
+* libmicrohttpd: 1.0.1 (from source)
 * libcurl: 7.88.1
 * openssl: 3.0.14
 * libuuid: 2.38.1
-* libmosquitto: 2.0.15 (from source)
-* Mongo C driver: 1.24.3 (from source)
+* libmosquitto: 2.0.20 (from source)
+* Mongo C driver: 1.29.0 (from source)
 * rapidjson: 1.1.0 (from source)
 * gtest (only for `make unit_test` building target): 1.5 (from sources)
 * gmock (only for `make unit_test` building target): 1.5 (from sources)
@@ -34,9 +34,9 @@ commands that require root privilege):
 
 * Install the Mongo Driver from source.
 
-        wget https://github.com/mongodb/mongo-c-driver/releases/download/1.24.3/mongo-c-driver-1.24.3.tar.gz
-        tar xfvz mongo-c-driver-1.24.3.tar.gz
-        cd mongo-c-driver-1.24.3
+        wget https://github.com/mongodb/mongo-c-driver/releases/download/1.29.0/mongo-c-driver-1.29.0.tar.gz
+        tar xfvz mongo-c-driver-1.29.0.tar.gz
+        cd mongo-c-driver-1.29.0
         mkdir cmake-build
         cd cmake-build
         cmake -DENABLE_AUTOMATIC_INIT_AND_CLEANUP=OFF ..
@@ -51,19 +51,19 @@ commands that require root privilege):
 
 * Install libmicrohttpd from sources (the `./configure` command below shows the recommended build configuration to get minimum library footprint, but if you are an advanced user, you can configure as you prefer)
 
-        wget https://ftp.gnu.org/gnu/libmicrohttpd/libmicrohttpd-0.9.76.tar.gz
-        tar xvf libmicrohttpd-0.9.76.tar.gz
-        cd libmicrohttpd-0.9.76
+        wget https://ftp.gnu.org/gnu/libmicrohttpd/libmicrohttpd-1.0.1.tar.gz
+        tar xvf libmicrohttpd-1.0.1.tar.gz
+        cd libmicrohttpd-1.0.1
         ./configure --disable-messages --disable-postprocessor --disable-dauth
         make
         sudo make install  # installation puts .h files in /usr/local/include and library in /usr/local/lib
         sudo ldconfig      # just in case... it doesn't hurt :)
 
-* Install mosquitto from sources (appart from changing WITH_CJSON, WITH_STATIC_LIBRARIES and WITH_SHARED_LIBRARIES settings, config.mk file under mosquitto-2.0.15/ can be modified to fine tune the build)
+* Install mosquitto from sources (appart from changing WITH_CJSON, WITH_STATIC_LIBRARIES and WITH_SHARED_LIBRARIES settings, config.mk file under mosquitto-2.0.20/ can be modified to fine tune the build)
 
-        wget https://mosquitto.org/files/source/mosquitto-2.0.15.tar.gz
-        tar xvf mosquitto-2.0.15.tar.gz
-        cd mosquitto-2.0.15
+        wget https://mosquitto.org/files/source/mosquitto-2.0.20.tar.gz
+        tar xvf mosquitto-2.0.20.tar.gz
+        cd mosquitto-2.0.20
         sed -i 's/WITH_CJSON:=yes/WITH_CJSON:=no/g' config.mk
         sed -i 's/WITH_STATIC_LIBRARIES:=no/WITH_STATIC_LIBRARIES:=yes/g' config.mk
         sed -i 's/WITH_SHARED_LIBRARIES:=yes/WITH_SHARED_LIBRARIES:=no/g' config.mk

diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -61,18 +61,18 @@ RUN --mount=type=secret,id=repo_token,dst=/run/secrets/repo_token \
       libgcrypt-dev && \
     # Install libmicrohttpd from source
     cd /opt && \
-    curl -kOL https://ftp.gnu.org/gnu/libmicrohttpd/libmicrohttpd-0.9.76.tar.gz && \
-    tar xvf libmicrohttpd-0.9.76.tar.gz && \
-    cd libmicrohttpd-0.9.76 && \
+    curl -kOL https://ftp.gnu.org/gnu/libmicrohttpd/libmicrohttpd-1.0.1.tar.gz && \
+    tar xvf libmicrohttpd-1.0.1.tar.gz && \
+    cd libmicrohttpd-1.0.1 && \
     ./configure --disable-messages --disable-postprocessor --disable-dauth && \
     make && \
     make install && \
     ldconfig && \
     # Install mosquitto from source
     cd /opt && \
-    curl -kOL https://mosquitto.org/files/source/mosquitto-2.0.15.tar.gz && \
-    tar xvf mosquitto-2.0.15.tar.gz && \
-    cd mosquitto-2.0.15 && \
+    curl -kOL https://mosquitto.org/files/source/mosquitto-2.0.20.tar.gz && \
+    tar xvf mosquitto-2.0.20.tar.gz && \
+    cd mosquitto-2.0.20 && \
     sed -i 's/WITH_CJSON:=yes/WITH_CJSON:=no/g' config.mk && \
     sed -i 's/WITH_STATIC_LIBRARIES:=no/WITH_STATIC_LIBRARIES:=yes/g' config.mk && \
     sed -i 's/WITH_SHARED_LIBRARIES:=yes/WITH_SHARED_LIBRARIES:=no/g' config.mk && \
@@ -81,9 +81,9 @@ RUN --mount=type=secret,id=repo_token,dst=/run/secrets/repo_token \
     ldconfig && \
     # Install mongodb driver from source
     cd /opt && \
-    curl -kOL https://github.com/mongodb/mongo-c-driver/releases/download/1.24.3/mongo-c-driver-1.24.3.tar.gz && \
-    tar xfvz mongo-c-driver-1.24.3.tar.gz && \
-    cd mongo-c-driver-1.24.3 && \
+    curl -kOL https://github.com/mongodb/mongo-c-driver/releases/download/1.29.0/mongo-c-driver-1.29.0.tar.gz && \
+    tar xfvz mongo-c-driver-1.29.0.tar.gz && \
+    cd mongo-c-driver-1.29.0 && \
     mkdir cmake-build && \
     cd cmake-build && \
     # Different from ci/deb/build-dep.sh and build from source documentation, we add here also
@@ -116,14 +116,14 @@ RUN --mount=type=secret,id=repo_token,dst=/run/secrets/repo_token \
     # cleanup sources, dev tools and locales to reduce the final image size
     # FIXME: this could need more tunning. Have a look to old CentOS Docerkile and try to
     # reproduce the same steps
-    rm -rf /opt/libmicrohttpd-0.9.76.tar.gz \
+    rm -rf /opt/libmicrohttpd-1.0.1.tar.gz \
            /usr/local/include/microhttpd.h \
            /usr/local/lib/libmicrohttpd.* \
-           /opt/libmicrohttpd-0.9.76 \
-           /opt/mosquitto-2.0.15.tar.gz \
-           /opt/mosquitto-2.0.15 \
-           /opt/mongo-c-driver-1.24.3.tar.gz \
-           /opt/mongo-c-driver-1.24.3 \
+           /opt/libmicrohttpd-1.0.1 \
+           /opt/mosquitto-2.0.20.tar.gz \
+           /opt/mosquitto-2.0.20 \
+           /opt/mongo-c-driver-1.29.0.tar.gz \
+           /opt/mongo-c-driver-1.29.0 \
            /usr/local/include/mongo \
            /usr/local/lib/libmongoclient.a \
            /usr/local/lib/libcjexl.a \

diff --git a/docker/Dockerfile.alpine b/docker/Dockerfile.alpine
@@ -62,9 +62,9 @@ RUN --mount=type=secret,id=repo_token,dst=/run/secrets/repo_token \
     # Install libmicrohttpd from source
     echo =====================MARK1 && \
     cd /opt && \
-    curl -kOL https://ftp.gnu.org/gnu/libmicrohttpd/libmicrohttpd-0.9.76.tar.gz && \
-    tar xvf libmicrohttpd-0.9.76.tar.gz && \
-    cd libmicrohttpd-0.9.76 && \
+    curl -kOL https://ftp.gnu.org/gnu/libmicrohttpd/libmicrohttpd-1.0.1.tar.gz && \
+    tar xvf libmicrohttpd-1.0.1.tar.gz && \
+    cd libmicrohttpd-1.0.1 && \
     ./configure --disable-messages --disable-postprocessor --disable-dauth && \
     make && \
     echo =====================MARK2 && \
@@ -74,9 +74,9 @@ RUN --mount=type=secret,id=repo_token,dst=/run/secrets/repo_token \
     echo =====================MARK3 && \
     # Install mosquitto from source
     cd /opt && \
-    curl -kOL https://mosquitto.org/files/source/mosquitto-2.0.15.tar.gz && \
-    tar xvf mosquitto-2.0.15.tar.gz && \
-    cd mosquitto-2.0.15 && \
+    curl -kOL https://mosquitto.org/files/source/mosquitto-2.0.20.tar.gz && \
+    tar xvf mosquitto-2.0.20.tar.gz && \
+    cd mosquitto-2.0.20 && \
     sed -i 's/WITH_CJSON:=yes/WITH_CJSON:=no/g' config.mk && \
     sed -i 's/WITH_STATIC_LIBRARIES:=no/WITH_STATIC_LIBRARIES:=yes/g' config.mk && \
     sed -i 's/WITH_SHARED_LIBRARIES:=yes/WITH_SHARED_LIBRARIES:=no/g' config.mk && \
@@ -86,9 +86,9 @@ RUN --mount=type=secret,id=repo_token,dst=/run/secrets/repo_token \
     #ldconfig && \
     # Install mongodb driver from source
     cd /opt && \
-    curl -kOL https://github.com/mongodb/mongo-c-driver/releases/download/1.24.3/mongo-c-driver-1.24.3.tar.gz && \
-    tar xfvz mongo-c-driver-1.24.3.tar.gz && \
-    cd mongo-c-driver-1.24.3 && \
+    curl -kOL https://github.com/mongodb/mongo-c-driver/releases/download/1.29.0/mongo-c-driver-1.29.0.tar.gz && \
+    tar xfvz mongo-c-driver-1.29.0.tar.gz && \
+    cd mongo-c-driver-1.29.0 && \
     mkdir cmake-build && \
     cd cmake-build && \
     # Different from ci/deb/build-dep.sh and build from source documentation, we add here also
@@ -124,14 +124,14 @@ RUN --mount=type=secret,id=repo_token,dst=/run/secrets/repo_token \
     # cleanup sources, dev tools and locales to reduce the final image size
     # FIXME: this could need more tunning. Have a look to old CentOS Docerkile and try to
     # reproduce the same steps
-    rm -rf /opt/libmicrohttpd-0.9.76.tar.gz \
+    rm -rf /opt/libmicrohttpd-1.0.1.tar.gz \
            /usr/local/include/microhttpd.h \
            /usr/local/lib/libmicrohttpd.* \
-           /opt/libmicrohttpd-0.9.76 \
-           /opt/mosquitto-2.0.15.tar.gz \
-           /opt/mosquitto-2.0.15 \
-           /opt/mongo-c-driver-1.24.3.tar.gz \
-           /opt/mongo-c-driver-1.24.3 \
+           /opt/libmicrohttpd-1.0.1 \
+           /opt/mosquitto-2.0.20.tar.gz \
+           /opt/mosquitto-2.0.20 \
+           /opt/mongo-c-driver-1.29.0.tar.gz \
+           /opt/mongo-c-driver-1.29.0 \
            /usr/local/include/mongo \
            /usr/local/lib/libmongoclient.a \
            /usr/local/lib/libcjexl.a \