qdrant/1.12.4-r0: cve remediation

[octo-sts]

qdrant/1.12.4-r0: fix GHSA-qg5g-gv98-5ffh

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/qdrant.advisories.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: The error output ends abruptly during the cargobump step, suggesting a potential issue with dependency resolution or version compatibility.

• Error Category: Dependency/Version

• Failure Point: During the rust/cargobump step while updating rustls dependency

• Root Cause Analysis: The cargobump tool is attempting to update dependencies, but appears to have encountered an issue while processing the rustls package. This could be due to version constraints or incompatibilities.

• Suggested Fix:

1. Add explicit version constraint for rustls in melange.yaml:

environment:
  contents:
    packages:
      - rustls-0.21.7  # Add specific version

2. Or add a cargobump-deps.yaml file with:

packages:
  rustls:
    version: "=0.21.7"

• Explanation:

• Qdrant 1.12.4 likely has specific version requirements for rustls
• Explicitly pinning the rustls version will prevent dependency resolution issues
• Version 0.21.7 is commonly used with recent Rust projects and should be compatible

• Additional Notes:

• Cargobump failures often occur when there are breaking changes between dependency versions
• The error stopping at rustls suggests this is the problematic dependency
• You may need to check Qdrant's Cargo.toml for exact version requirements

• References:

• https://github.com/qdrant/qdrant/blob/v1.12.4/Cargo.toml
• https://github.com/rustls/rustls/releases
• https://docs.rs/rustls/0.21.7/rustls/

Would you like me to provide additional details about implementing any part of this solution?

[hbh7]

PR is redundant with #35898