fix(plugin-keychain-vault): fix CVE-2024-0553 in vault server image

[petermetz]

1. The solution here was to migrate the image from Debian to Ubuntu
   because it seems to not have the same vulnerabilities as the lastest
   stable Debian image does, so the change itself is to move to Ubuntu 24.04
   LTS.
2. Also upgraded the Rust toolchain to the current latest which mandated
   a couple of small code changes that are also added in this commit.

The original security report from Trivy that we've discoverd on the CI:

┌─────────────┬───────────────┬──────────┬───────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │
├─────────────┼───────────────┼──────────┼───────────────────┤
│ libgnutls30 │ CVE-2024-0553 │ HIGH │ 3.6.7-4+deb10u11 │
│ │ │ │ │
└─────────────┴───────────────┴──────────┴───────────────────┘
...
┬──────────────────┬───────────────────────────────────────────┐
│ Fixed Version │ Title │
┼──────────────────┼───────────────────────────────────────────┤
│ 3.6.7-4+deb10u12 │ gnutls: incomplete fix for CVE-2023-5981 │
│ │ https://avd.aquasec.com/nvd/cve-2024-0553 │
┴──────────────────┴───────────────────────────────────────────┘

Signed-off-by: Peter Somogyvari [email protected]

Pull Request Requirements

• Rebased onto upstream/main branch and squashed into single commit to help maintainers review it more efficient and to avoid spaghetti git commit graphs that obfuscate which commit did exactly what change, when and, why.
• Have git sign off at the end of commit message to avoid being marked red. You can add -s flag when using git commit command. You may refer to this link for more information.
• Follow the Commit Linting specification. You may refer to this link for more information.

Character Limit

• Pull Request Title and Commit Subject must not exceed 72 characters (including spaces and special characters).
• Commit Message per line must not exceed 80 characters (including spaces and special characters).

A Must Read for Beginners
For rebasing and squashing, here's a must read guide for beginners.

[VRamakrishna]

FYI, the Weaver Relay is built on Rust 1.69.0-slim-bullseye (see various Dockerfiles in https://github.com/hyperledger/cacti/tree/main/weaver/core/relay). Do we need to upgrade those too?

From what I understand, upgrading the Rust toolchain has nothing to do with the reported vulnerability, right?

[petermetz]

FYI, the Weaver Relay is built on Rust 1.69.0-slim-bullseye (see various Dockerfiles in https://github.com/hyperledger/cacti/tree/main/weaver/core/relay). Do we need to upgrade those too?

From what I understand, upgrading the Rust toolchain has nothing to do with the reported vulnerability, right?

@VRamakrishna In general, I'd recommend upgrading, yes (unless there's some big blocker from doing so).

The vulnerabilities might not be related to the rust toolchain itself, but often I've seen situations where upgrading it is the only path anyway because the older rust versions ship with older base images of the underlying OS which then does have vulnerabilities baked into it.
The above scnario is not always the case (and I haven't looked into this particular image in detail to confirm or deny it either) but it does happen.