From cb4f157763625f71191baf37377aabae9fe7a419 Mon Sep 17 00:00:00 2001 From: Davide Bettio Date: Mon, 26 Sep 2022 16:29:23 +0200 Subject: [PATCH 1/3] Update astarte_rpc, castore and certifi Update astarte_rpc to 1.0.4 and CA store to latest version. Signed-off-by: Davide Bettio --- mix.exs | 2 +- mix.lock | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/mix.exs b/mix.exs index f90fd08..a50afbb 100644 --- a/mix.exs +++ b/mix.exs @@ -76,7 +76,7 @@ defmodule Astarte.VMQ.Plugin.Mixfile do defp astarte_required_modules(_) do [ - {:astarte_rpc, "~> 1.0.3"} + {:astarte_rpc, "~> 1.0.4"} ] end diff --git a/mix.lock b/mix.lock index 9e20144..9db7881 100644 --- a/mix.lock +++ b/mix.lock @@ -1,9 +1,9 @@ %{ "amqp": {:hex, :amqp, "2.1.2", "eab047abb54f7e30022b81b9534b797e51c6e7756f1b112ec6dcee3c3ac20eac", [:mix], [{:amqp_client, "~> 3.8.0", [hex: :amqp_client, repo: "hexpm", optional: false]}], "hexpm", "535901c611a979221d045839e9e7a661bf33d04590b796c8fa30f487511fde04"}, "amqp_client": {:hex, :amqp_client, "3.8.25", "6035b3cc946cd45c7bc09c590bfb31de2b106e79564709b8c40e1c25f66b47ee", [:make, :rebar3], [{:rabbit_common, "3.8.25", [hex: :rabbit_common, repo: "hexpm", optional: false]}], "hexpm", "3b5889fe922c212acf9bfa355495d6a8a0a507591b54c0d4183d755a9b5a61ce"}, - "astarte_rpc": {:hex, :astarte_rpc, "1.0.3", "b37dbbbff1170f99b04bf3422ade0d268c9acfba2973542481f910905cd1121e", [:mix], [{:amqp, "~> 2.1", [hex: :amqp, repo: "hexpm", optional: false]}, {:castore, "~> 0.1.0", [hex: :castore, repo: "hexpm", optional: false]}, {:exprotobuf, "~> 1.2", [hex: :exprotobuf, repo: "hexpm", optional: false]}, {:gpb, "~> 4.12.0", [hex: :gpb, repo: "hexpm", optional: false]}, {:skogsra, "~> 2.2", [hex: :skogsra, repo: "hexpm", optional: false]}], "hexpm", "4bdaf3203e7c38fcd801ce7993e2e521ed7544b5db2690977650f7517d44abfa"}, - "castore": {:hex, :castore, "0.1.17", "ba672681de4e51ed8ec1f74ed624d104c0db72742ea1a5e74edbc770c815182f", [:mix], [], "hexpm", "d9844227ed52d26e7519224525cb6868650c272d4a3d327ce3ca5570c12163f9"}, - "certifi": {:hex, :certifi, "2.6.1", "dbab8e5e155a0763eea978c913ca280a6b544bfa115633fa20249c3d396d9493", [:rebar3], [], "hexpm", "524c97b4991b3849dd5c17a631223896272c6b0af446778ba4675a1dff53bb7e"}, + "astarte_rpc": {:hex, :astarte_rpc, "1.0.4", "c44de4edbe33e33d823dfca06c0b99944d99301605cccac7946519c960a1334d", [:mix], [{:amqp, "~> 2.1", [hex: :amqp, repo: "hexpm", optional: false]}, {:castore, "~> 0.1.0", [hex: :castore, repo: "hexpm", optional: false]}, {:exprotobuf, "~> 1.2", [hex: :exprotobuf, repo: "hexpm", optional: false]}, {:gpb, "~> 4.12.0", [hex: :gpb, repo: "hexpm", optional: false]}, {:skogsra, "~> 2.2", [hex: :skogsra, repo: "hexpm", optional: false]}], "hexpm", "e9a5b8e8e286d3af50fdb8bd979476351f7ae62c42db0d3c05b7a9ae05ac912b"}, + "castore": {:hex, :castore, "0.1.18", "deb5b9ab02400561b6f5708f3e7660fc35ca2d51bfc6a940d2f513f89c2975fc", [], [], "hexpm", "61bbaf6452b782ef80b33cdb45701afbcf0a918a45ebe7e73f1130d661e66a06"}, + "certifi": {:hex, :certifi, "2.6.1", "dbab8e5e155a0763eea978c913ca280a6b544bfa115633fa20249c3d396d9493", [], [], "hexpm", "524c97b4991b3849dd5c17a631223896272c6b0af446778ba4675a1dff53bb7e"}, "credentials_obfuscation": {:hex, :credentials_obfuscation, "2.4.0", "9fb57683b84899ca3546b384e59ab5d3054a9f334eba50d74c82cd0ae82dd6ca", [:rebar3], [], "hexpm", "d28a89830e30698b075de9a4dbe683a20685c6bed1e3b7df744a0c06e6ff200a"}, "dialyzex": {:git, "https://github.com/Comcast/dialyzex.git", "cdc7cf71fe6df0ce4cf59e3f497579697a05c989", []}, "excoveralls": {:hex, :excoveralls, "0.14.0", "4b562d2acd87def01a3d1621e40037fdbf99f495ed3a8570dfcf1ab24e15f76d", [:mix], [{:hackney, "~> 1.16", [hex: :hackney, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}], "hexpm", "94f17478b0cca020bcd85ce7eafea82d2856f7ed022be777734a2f864d36091a"}, From be4a17f69679e9d885706b6298fbc08255aaecc0 Mon Sep 17 00:00:00 2001 From: Davide Bettio Date: Mon, 26 Sep 2022 16:37:42 +0200 Subject: [PATCH 2/3] GitHub actions: test against OTP 23.3 Use OTP 23.3, which is the version used in our docker images. Signed-off-by: Davide Bettio --- .github/workflows/build-workflow.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-workflow.yaml b/.github/workflows/build-workflow.yaml index a89169e..734b2d2 100644 --- a/.github/workflows/build-workflow.yaml +++ b/.github/workflows/build-workflow.yaml @@ -13,7 +13,7 @@ on: env: elixir_version: "1.11.4" - otp_version: "23.2" + otp_version: "23.3" jobs: test-dialyzer: From f07437bdb795b75e0387f9cefb75bdcc6fbd796d Mon Sep 17 00:00:00 2001 From: Davide Bettio Date: Mon, 26 Sep 2022 16:40:19 +0200 Subject: [PATCH 3/3] Prepare 1.0.4 release Signed-off-by: Davide Bettio --- CHANGELOG.md | 4 +++- mix.exs | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 44d104f..6b7ade8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,11 +4,13 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). -## [1.0.4] - Unreleased +## [1.0.4] - 2022-09-26 ### Fixed - Do not let VerneMQ container start unless the CA cert is retrieved from CFSSL. - Prevent the connection from timing out when the client takes more than 5 seconds to perform the SSL handshake +### Security +- Rebuild official docker image (updates OTP to 23.3.4.17), in order to fix CVE-2022-37026. ## [1.0.3] - 2022-04-07 diff --git a/mix.exs b/mix.exs index a50afbb..30643e4 100644 --- a/mix.exs +++ b/mix.exs @@ -22,7 +22,7 @@ defmodule Astarte.VMQ.Plugin.Mixfile do def project do [ app: :astarte_vmq_plugin, - version: "1.0.3", + version: "1.0.4", elixir: "~> 1.11", elixirc_paths: elixirc_paths(Mix.env()), start_permanent: Mix.env() == :prod,