ztunnel-1.24/1.24.2-r0: cve remediation

[octo-sts]

ztunnel-1.24/1.24.2-r0: fix GHSA-h97m-ww89-6jmq

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/ztunnel-1.24.advisories.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: "Error: failed to parse the pom file: failed to run cargo update 'error: There are multiple idna packages in your project, and the specification idna is ambiguous."

• Error Category: Dependency

• Failure Point: The cargo/cargobump step attempting to update the idna package

• Root Cause Analysis: The project has multiple versions of the idna package (0.5.0 and 1.0.3) and the cargobump command needs a specific version specified.

• Suggested Fix:

1. Modify the cargo update command in the pipeline to specify the exact version:

  - name: Update package with cargo
    runs: |
      cargo update -p idna@1.0.3  # Use the newer version
      cargo update -p hashbrown@0.15.0

• Explanation: The error occurs because cargo can't determine which version of idna to update when there are multiple versions in use. By specifically targeting version 1.0.3, we resolve the ambiguity while maintaining compatibility with dependent packages.

• Additional Notes:

• Multiple versions of the same package can exist in Rust projects due to different dependencies requiring different versions
• Generally, it's better to standardize on a single version when possible
• The newer 1.0.3 version is suggested as it likely has security fixes and improvements

• References:

• Cargo reference on dependency specification: https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html
• Rust RFC on dependency resolution: https://rust-lang.github.io/rfcs/2141-alternative-registries.html