Update base image from ubuntu:20.04 à ubuntu 22.04
Update janus-gateway that contains changes to use OpenSSL v3.0 functions shipped with Ubuntu 22.04.
Update libwebsockets usrsctp libsrtp libnice and enable additional flags for hardening, also for janus,
look at the dependency versions used in janus-gateway GitHub CI https://github.com/meetecho/janus-gateway/blob/master/.github/workflows/janus-ci.yml They just updated it to use libsrtp2 2.6.0 (master is known to not work because of API changes)
Binary is compiled with debug sections. Those should be stripped (CWE-215).
libusrsctp.so.2.0.0 libjanus_plugin_sfu.so libjanus_websockets.so.0.0.0 libjanus_pfunix.so.0.0.0 libjanus_http.so.0.0.0
libnice.so.10.11.0 janus
Binary is compiled with assert() statements. Those should be removed (CWE-617).
libwebsockets.so.19 libnice.so.10.11.0
FULL RELOCATIONS
libsrtp2.so.1 libusrsctp.so.2.0.0 libwebsockets.so.19 libjanus_websockets.so.0.0.0 libjanus_pfunix.so.0.0.0
libjanus_http.so.0.0.0 libnice.so.10.11.0
vincentfretin
commented
3 months ago
Notes from an audit report:
Binary is compiled with debug sections. Those should be stripped (CWE-215). libusrsctp.so.2.0.0 libjanus_plugin_sfu.so libjanus_websockets.so.0.0.0 libjanus_pfunix.so.0.0.0 libjanus_http.so.0.0.0 libnice.so.10.11.0 janus
Binary is compiled with assert() statements. Those should be removed (CWE-617). libwebsockets.so.19 libnice.so.10.11.0
FULL RELOCATIONS libsrtp2.so.1 libusrsctp.so.2.0.0 libwebsockets.so.19 libjanus_websockets.so.0.0.0 libjanus_pfunix.so.0.0.0 libjanus_http.so.0.0.0 libnice.so.10.11.0
FORTIFY CWE 693 : Lack of Hardening libwebsockets.so.19 libjanus_plugin_sfu.so libjanus_websockets.so.0.0.0 libjanus_pfunix.so.0.0.0 libjanus_http.so.0.0.0 janus
https://wiki.debian.org/Hardening search for "Notes for packages using CMake" so probably add the following flags: gcc -D_FORTIFY_SOURCE=2 -O1