Commit ebd437c
Update Rust crate openssl to v0.10.79 [SECURITY] (#50625)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [openssl](https://redirect.github.com/rust-openssl/rust-openssl) | workspace.dependencies | patch | `0.10.77` → `0.10.79` |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/32940) for more information.
---
### rust-openssl: rustMdCtxRef::digest_final() writes past caller buffer with no length check
[CVE-2026-41681](https://nvd.nist.gov/vuln/detail/CVE-2026-41681) / [GHSA-ghm9-cr32-g9qj](https://redirect.github.com/advisories/GHSA-ghm9-cr32-g9qj)
<details>
<summary>More information</summary>
#### Details
`EVP_DigestFinal()` always writes `EVP_MD_CTX_size(ctx)` to the `out` buffer. If `out` is smaller than that, `MdCtxRef::digest_final()` writes past its end, usually corrupting the stack. This is reachable from safe Rust.
#### Severity
- CVSS Score: 8.1 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U`
#### References
- [https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-ghm9-cr32-g9qj](https://redirect.github.com/rust-openssl/rust-openssl/security/advisories/GHSA-ghm9-cr32-g9qj)
- [https://github.com/rust-openssl/rust-openssl/pull/2608](https://redirect.github.com/rust-openssl/rust-openssl/pull/2608)
- [https://github.com/rust-openssl/rust-openssl/commit/826c3888b77add418b394770e2b2e3a72d9f92fe](https://redirect.github.com/rust-openssl/rust-openssl/commit/826c3888b77add418b394770e2b2e3a72d9f92fe)
- [https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78](https://redirect.github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78)
- [https://nvd.nist.gov/vuln/detail/CVE-2026-41681](https://nvd.nist.gov/vuln/detail/CVE-2026-41681)
- [https://github.com/advisories/GHSA-ghm9-cr32-g9qj](https://redirect.github.com/advisories/GHSA-ghm9-cr32-g9qj)
This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-ghm9-cr32-g9qj) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### rust-openssl: Unchecked callback length in PSK/cookie trampolines leaks adjacent memory to peer
[CVE-2026-41898](https://nvd.nist.gov/vuln/detail/CVE-2026-41898) / [GHSA-hppc-g8h3-xhp3](https://redirect.github.com/advisories/GHSA-hppc-g8h3-xhp3)
<details>
<summary>More information</summary>
#### Details
The FFI trampolines behind `SslContextBuilder::set_psk_client_callback`, `set_psk_server_callback`, `set_cookie_generate_cb`, and `set_stateless_cookie_generate_cb` forwarded the user closure's returned usize directly to OpenSSL without checking it against the `&mut [u8]` that was handed to the closure. This can lead to buffer overflows and other unintended consequences.
#### Severity
- CVSS Score: 8.3 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N`
#### References
- [https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-hppc-g8h3-xhp3](https://redirect.github.com/rust-openssl/rust-openssl/security/advisories/GHSA-hppc-g8h3-xhp3)
- [https://github.com/rust-openssl/rust-openssl/pull/2607](https://redirect.github.com/rust-openssl/rust-openssl/pull/2607)
- [https://github.com/rust-openssl/rust-openssl/commit/1d109020d98fff2fb2e45c39a373af3dff99b24c](https://redirect.github.com/rust-openssl/rust-openssl/commit/1d109020d98fff2fb2e45c39a373af3dff99b24c)
- [https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78](https://redirect.github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78)
- [https://nvd.nist.gov/vuln/detail/CVE-2026-41898](https://nvd.nist.gov/vuln/detail/CVE-2026-41898)
- [https://github.com/advisories/GHSA-hppc-g8h3-xhp3](https://redirect.github.com/advisories/GHSA-hppc-g8h3-xhp3)
This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-hppc-g8h3-xhp3) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### rust-openssl has incorrect bounds assertion in aes key wrap
[CVE-2026-41678](https://nvd.nist.gov/vuln/detail/CVE-2026-41678) / [GHSA-8c75-8mhr-p7r9](https://redirect.github.com/advisories/GHSA-8c75-8mhr-p7r9)
<details>
<summary>More information</summary>
#### Details
##### Summary
``aes::unwrap_key()`` has an incorrect bounds assertion on the out buffer size, which can lead to out-of-bounds write.
##### Details
``aes::unwrap_key()`` contains an incorrect assertion: it checks that `out.len() + 8 <= in_.len()`, but this condition is reversed. The intended invariant is `out.len() >= in_.len() - 8`, ensuring the output buffer is large enough.
Because of the inverted check, the function only accepts buffers at or below the minimum required size and rejects larger ones. If a smaller buffer is provided the function will write past the end of `out` by `in_.len() - 8 - out.len()` bytes, causing an out-of-bounds write from a safe public function.
##### Impact
Vulnerable applications using AES keywrap and allowing attacker controlled buffer sizes could have an attacker trigger an out-of-bounds write.
#### Severity
- CVSS Score: 7.2 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U`
#### References
- [https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-8c75-8mhr-p7r9](https://redirect.github.com/rust-openssl/rust-openssl/security/advisories/GHSA-8c75-8mhr-p7r9)
- [https://github.com/rust-openssl/rust-openssl/pull/2604](https://redirect.github.com/rust-openssl/rust-openssl/pull/2604)
- [https://github.com/rust-openssl/rust-openssl/commit/718d07ff8ff7be417d5b7a6a0047f1607520b3b6](https://redirect.github.com/rust-openssl/rust-openssl/commit/718d07ff8ff7be417d5b7a6a0047f1607520b3b6)
- [https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78](https://redirect.github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78)
- [https://nvd.nist.gov/vuln/detail/CVE-2026-41678](https://nvd.nist.gov/vuln/detail/CVE-2026-41678)
- [https://github.com/advisories/GHSA-8c75-8mhr-p7r9](https://redirect.github.com/advisories/GHSA-8c75-8mhr-p7r9)
This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-8c75-8mhr-p7r9) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### rust-opennssl has an Out-of-bounds read in PEM password callback when returning an oversized length
[CVE-2026-41677](https://nvd.nist.gov/vuln/detail/CVE-2026-41677) / [GHSA-xmgf-hq76-4vx2](https://redirect.github.com/advisories/GHSA-xmgf-hq76-4vx2)
<details>
<summary>More information</summary>
#### Details
The `*_from_pem_callback` APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can cause some versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected by this.
#### Severity
- CVSS Score: 1.7 / 10 (Low)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U`
#### References
- [https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xmgf-hq76-4vx2](https://redirect.github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xmgf-hq76-4vx2)
- [https://github.com/rust-openssl/rust-openssl/pull/2605](https://redirect.github.com/rust-openssl/rust-openssl/pull/2605)
- [https://github.com/rust-openssl/rust-openssl/commit/5af6895c907773699f37f583f409b862284062b1](https://redirect.github.com/rust-openssl/rust-openssl/commit/5af6895c907773699f37f583f409b862284062b1)
- [https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78](https://redirect.github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78)
- [https://nvd.nist.gov/vuln/detail/CVE-2026-41677](https://nvd.nist.gov/vuln/detail/CVE-2026-41677)
- [https://github.com/advisories/GHSA-xmgf-hq76-4vx2](https://redirect.github.com/advisories/GHSA-xmgf-hq76-4vx2)
This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-xmgf-hq76-4vx2) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1
[CVE-2026-41676](https://nvd.nist.gov/vuln/detail/CVE-2026-41676) / [GHSA-pqf5-4pqq-29f5](https://redirect.github.com/advisories/GHSA-pqf5-4pqq-29f5)
<details>
<summary>More information</summary>
#### Details
`Deriver::derive` (and `PkeyCtxRef::derive`) sets `len = buf.len()` and passes it as the in/out length to `EVP_PKEY_derive`, relying on OpenSSL to honor it. On OpenSSL 1.1.x, X25519, X448, DH and HKDF-extract ignore the incoming `*keylen`, unconditionally writing the full shared secret (32/56/prime-size bytes). A caller passing a short slice gets a heap/stack overflow from safe code. OpenSSL 3.x providers do check, so this only impacts older OpenSSL.
#### Severity
- CVSS Score: 7.2 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U`
#### References
- [https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-pqf5-4pqq-29f5](https://redirect.github.com/rust-openssl/rust-openssl/security/advisories/GHSA-pqf5-4pqq-29f5)
- [https://github.com/rust-openssl/rust-openssl/pull/2606](https://redirect.github.com/rust-openssl/rust-openssl/pull/2606)
- [https://github.com/rust-openssl/rust-openssl/commit/09b425e5f59a2466d806e71a83a9a449c914c596](https://redirect.github.com/rust-openssl/rust-openssl/commit/09b425e5f59a2466d806e71a83a9a449c914c596)
- [https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78](https://redirect.github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78)
- [https://nvd.nist.gov/vuln/detail/CVE-2026-41676](https://nvd.nist.gov/vuln/detail/CVE-2026-41676)
- [https://github.com/advisories/GHSA-pqf5-4pqq-29f5](https://redirect.github.com/advisories/GHSA-pqf5-4pqq-29f5)
This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-pqf5-4pqq-29f5) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### rust-openssl has undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs
[CVE-2026-42327](https://nvd.nist.gov/vuln/detail/CVE-2026-42327) / [GHSA-xp3w-r5p5-63rr](https://redirect.github.com/advisories/GHSA-xp3w-r5p5-63rr)
<details>
<summary>More information</summary>
#### Details
`X509Ref::ocsp_responders` returns OCSP responder URLs from a certificate's AIA extension as `OpensslString`, whose `Deref<Target = str>` wraps the raw bytes with `str::from_utf8_unchecked`. OpenSSL does not enforce that the underlying IA5String is ASCII, so a certificate with non-UTF-8 bytes in its OCSP accessLocation causes safe Rust code to construct a `&str` that violates the UTF-8 invariant — resulting in undefined behavior.
#### Severity
- CVSS Score: 8.7 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N`
#### References
- [https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xp3w-r5p5-63rr](https://redirect.github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xp3w-r5p5-63rr)
- [https://github.com/advisories/GHSA-xp3w-r5p5-63rr](https://redirect.github.com/advisories/GHSA-xp3w-r5p5-63rr)
This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-xp3w-r5p5-63rr) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### Release Notes
<details>
<summary>rust-openssl/rust-openssl (openssl)</summary>
### [`v0.10.79`](https://redirect.github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.79)
[Compare Source](https://redirect.github.com/rust-openssl/rust-openssl/compare/openssl-v0.10.78...openssl-v0.10.79)
#### What's Changed
- Bump actions/cache from 5.0.4 to 5.0.5 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​2610](https://redirect.github.com/rust-openssl/rust-openssl/pull/2610)
- Try to fix OpenSSL 1.1.0l download by [@​botovq](https://redirect.github.com/botovq) in [#​2614](https://redirect.github.com/rust-openssl/rust-openssl/pull/2614)
- Require \&mut BigNumContextRef for EcPointRef mul/invert by [@​alex](https://redirect.github.com/alex) in [#​2615](https://redirect.github.com/rust-openssl/rust-openssl/pull/2615)
- Fix UB in EcGroupRef::generator on groups without a generator by [@​alex](https://redirect.github.com/alex) in [#​2617](https://redirect.github.com/rust-openssl/rust-openssl/pull/2617)
- Replace `use libc::*;` with targeted imports in openssl-sys by [@​alex](https://redirect.github.com/alex) in [#​2618](https://redirect.github.com/rust-openssl/rust-openssl/pull/2618)
- Add PKeyRef::is\_a and KeyType for name-based key identification by [@​reaperhulk](https://redirect.github.com/reaperhulk) in [#​2619](https://redirect.github.com/rust-openssl/rust-openssl/pull/2619)
- Add PKey::{public,private}\_key\_from\_raw\_bytes\_ex by [@​reaperhulk](https://redirect.github.com/reaperhulk) in [#​2620](https://redirect.github.com/rust-openssl/rust-openssl/pull/2620)
- Bump MSRV to 1.80 by [@​reaperhulk](https://redirect.github.com/reaperhulk) in [#​2622](https://redirect.github.com/rust-openssl/rust-openssl/pull/2622)
- Drop once\_cell in favor of std::sync::{LazyLock, OnceLock} by [@​reaperhulk](https://redirect.github.com/reaperhulk) in [#​2623](https://redirect.github.com/rust-openssl/rust-openssl/pull/2623)
- Add PKey::private\_key\_from\_seed for ML-DSA/ML-KEM key import by [@​reaperhulk](https://redirect.github.com/reaperhulk) in [#​2621](https://redirect.github.com/rust-openssl/rust-openssl/pull/2621)
- parallelize more builds in CI for cold caches by [@​reaperhulk](https://redirect.github.com/reaperhulk) in [#​2625](https://redirect.github.com/rust-openssl/rust-openssl/pull/2625)
- Add PKeyRef::seed\_into for ML-DSA/ML-KEM seed extraction by [@​reaperhulk](https://redirect.github.com/reaperhulk) in [#​2626](https://redirect.github.com/rust-openssl/rust-openssl/pull/2626)
- Fix process abort when verify/PSK callbacks fire after SSL\_CTX swap by [@​alex](https://redirect.github.com/alex) in [#​2624](https://redirect.github.com/rust-openssl/rust-openssl/pull/2624)
- Bind OSSL\_PARAM\_modified and use it for seed\_into by [@​reaperhulk](https://redirect.github.com/reaperhulk) in [#​2628](https://redirect.github.com/rust-openssl/rust-openssl/pull/2628)
- Add PkeyCtxRef::set\_context\_string for ML-DSA by [@​reaperhulk](https://redirect.github.com/reaperhulk) in [#​2629](https://redirect.github.com/rust-openssl/rust-openssl/pull/2629)
- Reject non-UTF-8 OCSP responder URLs in X509Ref::ocsp\_responders by [@​alex](https://redirect.github.com/alex) in [#​2631](https://redirect.github.com/rust-openssl/rust-openssl/pull/2631)
- Fix output buffer overflow for AES key-wrap-with-padding ciphers by [@​alex](https://redirect.github.com/alex) in [#​2630](https://redirect.github.com/rust-openssl/rust-openssl/pull/2630)
- Release openssl 0.10.79 and openssl-sys 0.9.115 by [@​reaperhulk](https://redirect.github.com/reaperhulk) in [#​2632](https://redirect.github.com/rust-openssl/rust-openssl/pull/2632)
**Full Changelog**: <rust-openssl/rust-openssl@openssl-v0.10.78...openssl-v0.10.79>
### [`v0.10.78`](https://redirect.github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78)
[Compare Source](https://redirect.github.com/rust-openssl/rust-openssl/compare/openssl-v0.10.77...openssl-v0.10.78)
#### What's Changed
- Fix Suite B flag assignments in verify.rs by [@​alex](https://redirect.github.com/alex) in [#​2592](https://redirect.github.com/rust-openssl/rust-openssl/pull/2592)
- Use cvt\_p for OPENSSL\_malloc error handling by [@​alex](https://redirect.github.com/alex) in [#​2593](https://redirect.github.com/rust-openssl/rust-openssl/pull/2593)
- Mark BIO\_get\_mem\_data on AWS-LC to be unsafe by [@​alex](https://redirect.github.com/alex) in [#​2594](https://redirect.github.com/rust-openssl/rust-openssl/pull/2594)
- Set timeout for package installation step by [@​alex](https://redirect.github.com/alex) in [#​2595](https://redirect.github.com/rust-openssl/rust-openssl/pull/2595)
- Panic in Crypter::new when IV is required but not provided by [@​alex](https://redirect.github.com/alex) in [#​2596](https://redirect.github.com/rust-openssl/rust-openssl/pull/2596)
- openssl 4 support by [@​reaperhulk](https://redirect.github.com/reaperhulk) in [#​2591](https://redirect.github.com/rust-openssl/rust-openssl/pull/2591)
- Avoid panic for overlong OIDs by [@​botovq](https://redirect.github.com/botovq) in [#​2598](https://redirect.github.com/rust-openssl/rust-openssl/pull/2598)
- Fix dangling stack pointer in custom extension add callback by [@​alex](https://redirect.github.com/alex) in [#​2599](https://redirect.github.com/rust-openssl/rust-openssl/pull/2599)
- Add support for LibreSSL 4.3.x by [@​botovq](https://redirect.github.com/botovq) in [#​2603](https://redirect.github.com/rust-openssl/rust-openssl/pull/2603)
- fix inverted bounds assertion in AES key unwrap by [@​reaperhulk](https://redirect.github.com/reaperhulk) in [#​2604](https://redirect.github.com/rust-openssl/rust-openssl/pull/2604)
- Reject oversized length returns from password callback trampoline by [@​alex](https://redirect.github.com/alex) in [#​2605](https://redirect.github.com/rust-openssl/rust-openssl/pull/2605)
- Validate callback-returned lengths in PSK and cookie trampolines by [@​alex](https://redirect.github.com/alex) in [#​2607](https://redirect.github.com/rust-openssl/rust-openssl/pull/2607)
- Error for short out in MdCtxRef::digest\_final() by [@​botovq](https://redirect.github.com/botovq) in [#​2608](https://redirect.github.com/rust-openssl/rust-openssl/pull/2608)
- Check derive output buffer length on OpenSSL 1.1.x by [@​alex](https://redirect.github.com/alex) in [#​2606](https://redirect.github.com/rust-openssl/rust-openssl/pull/2606)
- Release openssl v0.10.78 and openssl-sys v0.9.114 by [@​alex](https://redirect.github.com/alex) in [#​2609](https://redirect.github.com/rust-openssl/rust-openssl/pull/2609)
**Full Changelog**: <rust-openssl/rust-openssl@openssl-v0.10.77...openssl-v0.10.78>
</details>
---
### Configuration
📅 **Schedule**: (in timezone America/Los_Angeles)
- Branch creation
- ""
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate).
GitOrigin-RevId: 9433e6357944ca9fc1227c95e19aa967d1c815b21 parent a5b0790 commit ebd437c
1 file changed
Lines changed: 4 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments