chore(deps): update rust crate openssl to v0.10.79 [security] by renovate[bot] · Pull Request #166 · bartvdbraak/keyweave

renovate · 2025-02-03T22:28:55Z

This PR contains the following updates:

Package	Type	Update	Change
openssl	dependencies	patch	`0.10.68` → `0.10.79`

rust-openssl ssl::select_next_proto use after free

CVE-2025-24898 / GHSA-rpmj-rpgj-qmpm

More information

Details

Impact

ssl::select_next_proto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the server buffer's lifetime is shorter than the client buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client.

Patches

openssl 0.10.70 fixes the signature of ssl::select_next_proto to properly constrain the output buffer's lifetime to that of both input buffers.

Workarounds

In standard usage of ssl::select_next_proto in the callback passed to SslContextBuilder::set_alpn_select_callback, code is only affected if the server buffer is constructed within the callback. For example:

Not vulnerable - the server buffer has a 'static lifetime:

builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(b"\x02h2", client_protos).ok_or_else(AlpnError::NOACK)
});

Not vulnerable - the server buffer outlives the handshake:

let server_protos = b"\x02h2".to_vec();
builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});

Vulnerable - the server buffer is freed when the callback returns:

builder.set_alpn_select_callback(|_, client_protos| {
    let server_protos = b"\x02h2".to_vec();
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});

References

https://github.com/sfackler/rust-openssl/pull/2360

Severity

CVSS Score: 6.3 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

rust-openssl Use-After-Free in `Md::fetch` and `Cipher::fetch`

GHSA-4fcv-w3qc-ppgg

More information

Details

When a Some(...) value was passed to the properties argument of either of these functions, a use-after-free would result.

In practice this would nearly always result in OpenSSL treating the properties as an empty string (due to CString::drop's behavior).

The maintainers thank quitbug for reporting this vulnerability to us.

Severity

CVSS Score: 6.3 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

rust-openssl: rustMdCtxRef::digest_final() writes past caller buffer with no length check

CVE-2026-41681 / GHSA-ghm9-cr32-g9qj

More information

Details

EVP_DigestFinal() always writes EVP_MD_CTX_size(ctx) to the out buffer. If out is smaller than that, MdCtxRef::digest_final() writes past its end, usually corrupting the stack. This is reachable from safe Rust.

Severity

CVSS Score: 8.1 / 10 (High)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

rust-openssl: Unchecked callback length in PSK/cookie trampolines leaks adjacent memory to peer

CVE-2026-41898 / GHSA-hppc-g8h3-xhp3

More information

Details

The FFI trampolines behind SslContextBuilder::set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and set_stateless_cookie_generate_cb forwarded the user closure's returned usize directly to OpenSSL without checking it against the &mut [u8] that was handed to the closure. This can lead to buffer overflows and other unintended consequences.

Severity

CVSS Score: 8.3 / 10 (High)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

rust-openssl has incorrect bounds assertion in aes key wrap

CVE-2026-41678 / GHSA-8c75-8mhr-p7r9

More information

Details

Summary

aes::unwrap_key() has an incorrect bounds assertion on the out buffer size, which can lead to out-of-bounds write.

Details

aes::unwrap_key() contains an incorrect assertion: it checks that out.len() + 8 <= in_.len(), but this condition is reversed. The intended invariant is out.len() >= in_.len() - 8, ensuring the output buffer is large enough.

Because of the inverted check, the function only accepts buffers at or below the minimum required size and rejects larger ones. If a smaller buffer is provided the function will write past the end of out by in_.len() - 8 - out.len() bytes, causing an out-of-bounds write from a safe public function.

Impact

Vulnerable applications using AES keywrap and allowing attacker controlled buffer sizes could have an attacker trigger an out-of-bounds write.

Severity

CVSS Score: 7.2 / 10 (High)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

rust-opennssl has an Out-of-bounds read in PEM password callback when returning an oversized length

CVE-2026-41677 / GHSA-xmgf-hq76-4vx2

More information

Details

The *_from_pem_callback APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can cause some versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected by this.

Severity

CVSS Score: 1.7 / 10 (Low)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1

CVE-2026-41676 / GHSA-pqf5-4pqq-29f5

More information

Details

Deriver::derive (and PkeyCtxRef::derive) sets len = buf.len() and passes it as the in/out length to EVP_PKEY_derive, relying on OpenSSL to honor it. On OpenSSL 1.1.x, X25519, X448, DH and HKDF-extract ignore the incoming *keylen, unconditionally writing the full shared secret (32/56/prime-size bytes). A caller passing a short slice gets a heap/stack overflow from safe code. OpenSSL 3.x providers do check, so this only impacts older OpenSSL.

Severity

CVSS Score: 7.2 / 10 (High)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

rust-openssl has undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs

CVE-2026-42327 / GHSA-xp3w-r5p5-63rr

More information

Details

X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref<Target = str> wraps the raw bytes with str::from_utf8_unchecked. OpenSSL does not enforce that the underlying IA5String is ASCII, so a certificate with non-UTF-8 bytes in its OCSP accessLocation causes safe Rust code to construct a &str that violates the UTF-8 invariant — resulting in undefined behavior.

Severity

CVSS Score: 8.7 / 10 (High)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

rust-openssl/rust-openssl (openssl)

`v0.10.79`

Compare Source

What's Changed

Bump actions/cache from 5.0.4 to 5.0.5 by @dependabot[bot] in #2610
Try to fix OpenSSL 1.1.0l download by @botovq in #2614
Require &mut BigNumContextRef for EcPointRef mul/invert by @alex in #2615
Fix UB in EcGroupRef::generator on groups without a generator by @alex in #2617
Replace use libc::*; with targeted imports in openssl-sys by @alex in #2618
Add PKeyRef::is_a and KeyType for name-based key identification by @reaperhulk in #2619
Add PKey::{public,private}_key_from_raw_bytes_ex by @reaperhulk in #2620
Bump MSRV to 1.80 by @reaperhulk in #2622
Drop once_cell in favor of std::sync::{LazyLock, OnceLock} by @reaperhulk in #2623
Add PKey::private_key_from_seed for ML-DSA/ML-KEM key import by @reaperhulk in #2621
parallelize more builds in CI for cold caches by @reaperhulk in #2625
Add PKeyRef::seed_into for ML-DSA/ML-KEM seed extraction by @reaperhulk in #2626
Fix process abort when verify/PSK callbacks fire after SSL_CTX swap by @alex in #2624
Bind OSSL_PARAM_modified and use it for seed_into by @reaperhulk in #2628
Add PkeyCtxRef::set_context_string for ML-DSA by @reaperhulk in #2629
Reject non-UTF-8 OCSP responder URLs in X509Ref::ocsp_responders by @alex in #2631
Fix output buffer overflow for AES key-wrap-with-padding ciphers by @alex in #2630
Release openssl 0.10.79 and openssl-sys 0.9.115 by @reaperhulk in #2632

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.78...openssl-v0.10.79

`v0.10.78`

Compare Source

What's Changed

Fix Suite B flag assignments in verify.rs by @alex in #2592
Use cvt_p for OPENSSL_malloc error handling by @alex in #2593
Mark BIO_get_mem_data on AWS-LC to be unsafe by @alex in #2594
Set timeout for package installation step by @alex in #2595
Panic in Crypter::new when IV is required but not provided by @alex in #2596
openssl 4 support by @reaperhulk in #2591
Avoid panic for overlong OIDs by @botovq in #2598
Fix dangling stack pointer in custom extension add callback by @alex in #2599
Add support for LibreSSL 4.3.x by @botovq in #2603
fix inverted bounds assertion in AES key unwrap by @reaperhulk in #2604
Reject oversized length returns from password callback trampoline by @alex in #2605
Validate callback-returned lengths in PSK and cookie trampolines by @alex in #2607
Error for short out in MdCtxRef::digest_final() by @botovq in #2608
Check derive output buffer length on OpenSSL 1.1.x by @alex in #2606
Release openssl v0.10.78 and openssl-sys v0.9.114 by @alex in #2609

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.77...openssl-v0.10.78

`v0.10.77`

Compare Source

What's Changed

CI: Hash-pin all action usage, avoid credential persistence in actions/checkout by @woodruffw in #2587
Bump aws-lc-sys to 0.39 by @goffrie in #2588
md_ctx: enable sign/verify/reset on BoringSSL, LibreSSL, and AWS-LC by @alex in #2589
Release openssl v0.10.77 and openssl-sys v0.9.113 by @alex in #2590

New Contributors

@woodruffw made their first contribution in #2587

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.76...openssl-v0.10.77

`v0.10.76`

Compare Source

What's Changed

feat: New methods EVP_PKEY_new_raw_*_key_ex and EVP_PKEY_is_a by @FinnRG in #2521
Fix invalid value parsing of OCSP revocation reason by @danpashin in #2523
Bump actions/checkout from 5 to 6 by @dependabot[bot] in #2524
Bump aws-lc-sys from 0.27 to 0.34 by @goffrie in #2526
Expose X509_NAME_dup on all versions of OpenSSL by @alex in #2529
Unconditionally expose some *_dup() functions by @botovq in #2530
reintroduce dir_name support for subject_alt_names by @mqqz in #2528
Fix cipher comparison with NID instead of pointers by @lwestlund in #2531
Remove ASN1_STRING_data for LibreSSL 4.3.0 by @botovq in #2534
drop openssl 1.0.2 by @alex in #2545
Bump actions/cache from 4 to 5 by @dependabot[bot] in #2542
Add Debug implementation for EcdsaSig{,Ref} by @buytenh in #2540
Add HKDF support by @Zenkibou in #2543
Enhance Debug implementation for Nid by @buytenh in #2547
Remove X509_VERIFY_PARAM_ID for LibreSSL 4.3.0 by @botovq in #2549
Add UpperHex implementation for BigNum{,Ref} by @buytenh in #2550
Add Debug implementation for EcGroup{,Ref} by @buytenh in #2548
test against openssl 3.6.0 in ci by @alex in #2546
Remove more OpenSSL 1.0.2 complications by @botovq in #2559
Still more OpenSSL 1.0.2 complications by @botovq in #2560
Remove more dead config branches by @botovq in #2561
Let AWS-LC use the BoringSSL path for BIO_METHOD by @botovq in #2562
Two small LibreSSL tweaks by @botovq in #2563
Upgrade ctest to 0.5 by @alex in #2569
add more brainpool curve NID constants by @butteronarchbtw in #2567
fix min-version CI by @alex in #2573
Fix use-after-free of error strings on BoringSSL/aws-lc by @alex in #2572
Pin quote to 1.0.44 for min-version CI by @alex in #2579
Constify from_raw by @DarkaMaul in #2580
Support pregenerated Rust bindings from AWS-LC installations by @justsmth in #2578
Bump aws-lc-sys to 0.38 by @goffrie in #2581
Release openssl v0.10.76 and openssl-sys v0.9.112 by @weihanglo in #2582

New Contributors

@FinnRG made their first contribution in #2521
@danpashin made their first contribution in #2523
@mqqz made their first contribution in #2528
@lwestlund made their first contribution in #2531
@buytenh made their first contribution in #2540
@Zenkibou made their first contribution in #2543
@butteronarchbtw made their first contribution in #2567
@DarkaMaul made their first contribution in #2580
@weihanglo made their first contribution in #2582

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.75...openssl-v0.10.76

`v0.10.75`

Compare Source

What's Changed

Fix a few typos (most of them found with codespell) by @botovq in #2502
Use SHA256 test variant instead of SHA1 by @abbra in #2504
pin home to an older version on MSRV CI by @alex in #2509
Implement set_rsa_oaep_label for AWS-LC/BoringSSL by @goffrie in #2508
sys/evp: add EVP_MAC symbols by @huwcbjones in #2510
CI: bump LibreSSL 4.x branches to latest releases by @botovq in #2513
Fix unsound OCSP find_status handling of optional next_update field by @alex in #2517
Release openssl v0.10.75 and openssl-sys v0.9.111 by @alex in #2518

New Contributors

@abbra made their first contribution in #2504
@goffrie made their first contribution in #2508

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.74...openssl-v0.10.75

`v0.10.74`

Compare Source

What's Changed

[AIX] use /usr to find_openssl_dir by @daltenty in #2401
Improve support for OPENSSL_NO_COMP and OPENSSL_NO_SRTP by @justsmth in #2423
Add aws-lc-fips feature to allow linking the aws-lc-fips-sys crate by @skmcgrail in #2424
variety of fixes for warnings in new rust by @alex in #2427
Some API adjustments for LibreSSL 4.2.0 by @botovq in #2426
Update OpenSSL documentation URLs to new docs.openssl.org domain by @alex in #2430
pkey_ctx: add ability to generate DSA params & keys by @huwcbjones in #2432
Run tests on windows-11-arm by @saschanaz in #2407
pkey_ctx: add ability to generate EC params & keys by @huwcbjones in #2434
pkey_ctx: add ability to generate DH params & keys by @huwcbjones in #2433
pkey_ctx: add ability to generate RSA keys by @huwcbjones in #2431
expose more verifier flags/errors for libressl by @botovq in #2441
sys/evp: set/get params bindings by @huwcbjones in #2436
Add support for argon2d and argon2i variants by @greateggsgreg in #2416
Bump actions/checkout from 4 to 5 by @dependabot[bot] in #2443
Update bindgen; Update MSRV to 1.70 by @justsmth in #2438
macros: fully qualify imports by @huwcbjones in #2445
Disable AES-CFB128 ciphers for BoringSSL by @alebastr in #2447
Fix missing "__off_t" on NetBSD 10 by @alebastr in #2448
ML-KEM/ML-DSA part 1: openssl-sys changes by @swenson in #2450
sys: add symbols to construct an EVP_PKEY from a param builder by @huwcbjones in #2453
ec-point: add set_affine_coordinates by @huwcbjones in #2455
openssl-sys: add more functions to replace non-deprecated ones by @huwcbjones in #2457
ML-KEM/ML-DSA part 2: param builder by @swenson in #2451
ML-KEM/ML-DSA part 3: param array locate octet string by @swenson in #2458
sys: add encoder & decoder symbols by @huwcbjones in #2454
Add bindings for SSL_CIPHER_get_protocol_id by @jedenastka in #2462
sys/evp: add EVP_PKEY_eq and EVP_PKEY_parameters_eq by @huwcbjones in #2463
openssl-sys: make it work without deprecated symbols by @huwcbjones in #2452
drop old libressl versions by @botovq in #2473
Remove support for LibreSSL < 2.8 by @botovq in #2475
Sort OpenSSL version checks in ascending order by @alex in #2476
Update GitHub repository URLs from sfackler org to rust-openssl org by @alex in #2477
Remove support for LibreSSL < 2.9 by @botovq in #2478
remove branch for libressl 2.6.1 by @alex in #2479
remove pointless libressl cfg check by @alex in #2480
Expose SSL_get0_group_name by @toddabrams in #2482
Remove support for LibreSSL < 3.0 by @botovq in #2481
Remove support for LibreSSL < 3.2 by @botovq in #2483
Remove and simplify a ton of cfgs that weren't required by @alex in #2484
clippy fixes + don't build locking code on libressl by @alex in #2485
remove unneeded cfg and expose X509::append_entry on boringssl/awslc by @alex in #2486
Expose EcGroup::order_bits on Boring, Libre, and AWS-LC by @alex in #2487
Remove support for LibreSSL < 3.3 by @botovq in #2488
add mlkem headers to boringssl bindgen by @reaperhulk in #2492
bump boringssl commit hash in CI by @reaperhulk in #2493
raise boringssl version in CI by @alex in #2494
Bump minimum OpenSSL version to 1.0.2 by @alex in #2491
Enable xof_squeeze on AWS-LC by @alex in #2471
avoid cancelling sequential jobs on master by @alex in #2495
Remove support for LibreSSL < 3.4 by @botovq in #2490
Simplify 'cfg(any(ossl102, ossl110))' by @botovq in #2497
Add support for LibreSSL 4.2 (stable release) by @botovq in #2498
Remove support for LibreSSL < 3.5 by @botovq in #2499
Release openssl v0.10.74 and openssl-sys v0.9.110 by @alex in #2500

New Contributors

@daltenty made their first contribution in #2401
@justsmth made their first contribution in #2423
@huwcbjones made their first contribution in #2432
@saschanaz made their first contribution in #2407
@greateggsgreg made their first contribution in #2416
@dependabot[bot] made their first contribution in #2443
@alebastr made their first contribution in #2447
@swenson made their first contribution in #2450
@jedenastka made their first contribution in #2462
@toddabrams made their first contribution in #2482

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.73...openssl-v0.10.74

`v0.10.73`

Compare Source

What's Changed

test against openssl 3.5.0 by @alex in sfackler#2392
Support Libressl 4.1 by @botovq in sfackler#2398
Release openssl-sys v0.9.108 by @alex in sfackler#2399
Replace ctest2 with ctest by @botovq in sfackler#2403
fixed building on the latest boringssl by @alex in sfackler#2414
Release openssl v0.10.73 and openssl-sys v0.9.109 by @alex in sfackler#2415

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.72...openssl-v0.10.73

`v0.10.72`

Compare Source

What's Changed

make set_rsa_oaep_md visible to boringssl config by @frncs-rss in sfackler#2372
Fix typo in openssl-sys build script by @rushilmehra in sfackler#2375
Unify the two BoringSSL codepaths a bit and simplify init by @davidben in sfackler#2377
pkey_ctx: Fix link to the corresponding OpenSSL function by @Jakuje in sfackler#2378
fix test on MSRV by @alex in sfackler#2383
Add support for AWS-LC to openssl and openssl-sys crates by @skmcgrail in sfackler#1805
Enable additional capabilities for AWS-LC by @skmcgrail in sfackler#2386
Use --experimental with bindgen-cli with aws-lc build by @skmcgrail in sfackler#2389
Fixed two UAFs and bumped versions for release by @alex in sfackler#2390

New Contributors

@Jakuje made their first contribution in sfackler#2378
@skmcgrail made their first contribution in sfackler#1805

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.71...openssl-v0.10.72

`v0.10.71`

Compare Source

What's Changed

Expose rc2 ciphers on symm::Cipher by @alex in sfackler#2361
add full Apache license file to openssl by @frncs-rss in sfackler#2366
Release openssl v0.10.71 and openssl-sys v0.9.106 by @alex in sfackler#2369

New Contributors

@frncs-rss made their first contribution in sfackler#2366

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.70...openssl-v0.10.71

`v0.10.70`: openssl v0.10.70

Compare Source

What's Changed

Attempt to fix CI by pinning to the Ubuntu 22.04 image by @alex in sfackler#2357
Remove EC_METHOD and EC_GROUP_new for LibreSSL 4.1 by @botovq in sfackler#2356
Test against 3.4.0 final release by @alex in sfackler#2359
Expose SslMethod::{dtls_client,dtls_server} by @alex in sfackler#2358
Fix lifetimes in ssl::select_next_proto by @sfackler in sfackler#2360

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.69...openssl-v0.10.70

`v0.10.69`: openssl v0.10.69

Compare Source

What's Changed

build(deps): Update openssl-macro to version 0.1.1 by @caspermeijn in sfackler#2324
Enable set_alpn_select_callback for BoringSSL by @ViktoriiaKovalova in sfackler#2327
Switch the test to use prime256v1 based key by @dcermak in sfackler#2330
Expose EVP_DigestSqueeze from Hasher by @initsecret in sfackler#2275
Expose SSL_CTX_load_verify_locations by @sfackler in sfackler#2353

New Contributors

@caspermeijn made their first contribution in sfackler#2324
@ViktoriiaKovalova made their first contribution in sfackler#2327

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.68...openssl-v0.10.69

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate Bot requested a review from bartvdbraak February 3, 2025 22:28

renovate Bot temporarily deployed to bicep February 3, 2025 22:29 Inactive

renovate Bot temporarily deployed to test February 3, 2025 22:29 Inactive

renovate Bot force-pushed the renovate/crate-openssl-vulnerability branch from c4d2efe to 698ab58 Compare April 4, 2025 22:19

renovate Bot changed the title ~~fix(deps): update rust crate openssl to v0.10.70 [security]~~ fix(deps): update rust crate openssl to v0.10.72 [security] Apr 4, 2025

renovate Bot temporarily deployed to bicep April 4, 2025 22:19 Inactive

renovate Bot temporarily deployed to test April 4, 2025 22:19 Inactive

renovate Bot force-pushed the renovate/crate-openssl-vulnerability branch from 698ab58 to 1763ec9 Compare August 10, 2025 12:44

renovate Bot changed the title ~~fix(deps): update rust crate openssl to v0.10.72 [security]~~ chore(deps): update rust crate openssl to v0.10.72 [security] Sep 25, 2025

renovate Bot force-pushed the renovate/crate-openssl-vulnerability branch from 1763ec9 to e5d65ad Compare December 10, 2025 11:11

renovate Bot force-pushed the renovate/crate-openssl-vulnerability branch from e5d65ad to e197728 Compare March 14, 2026 06:48

renovate Bot changed the title ~~chore(deps): update rust crate openssl to v0.10.72 [security]~~ chore(deps): update rust crate openssl to v0.10.72 [security] - autoclosed Mar 27, 2026

renovate Bot closed this Mar 27, 2026

renovate Bot deleted the renovate/crate-openssl-vulnerability branch March 27, 2026 05:43

renovate Bot changed the title ~~chore(deps): update rust crate openssl to v0.10.72 [security] - autoclosed~~ chore(deps): update rust crate openssl to v0.10.72 [security] Mar 30, 2026

renovate Bot reopened this Mar 30, 2026

renovate Bot force-pushed the renovate/crate-openssl-vulnerability branch from e197728 to b29c752 Compare March 30, 2026 21:14

renovate Bot force-pushed the renovate/crate-openssl-vulnerability branch from b29c752 to 511074d Compare April 23, 2026 02:11

renovate Bot changed the title ~~chore(deps): update rust crate openssl to v0.10.72 [security]~~ chore(deps): update rust crate openssl to v0.10.78 [security] Apr 23, 2026

renovate Bot changed the title ~~chore(deps): update rust crate openssl to v0.10.78 [security]~~ chore(deps): update rust crate openssl to v0.10.78 [security] - autoclosed Apr 27, 2026

renovate Bot closed this Apr 27, 2026

renovate Bot changed the title ~~chore(deps): update rust crate openssl to v0.10.78 [security] - autoclosed~~ chore(deps): update rust crate openssl to v0.10.78 [security] Apr 27, 2026

renovate Bot reopened this Apr 27, 2026

renovate Bot force-pushed the renovate/crate-openssl-vulnerability branch from 39a9151 to 511074d Compare April 27, 2026 22:04

renovate Bot force-pushed the renovate/crate-openssl-vulnerability branch from 511074d to 39a9151 Compare April 27, 2026 22:04

chore(deps): update rust crate openssl to v0.10.79 [security]

5de0156

renovate Bot force-pushed the renovate/crate-openssl-vulnerability branch from 39a9151 to 5de0156 Compare May 6, 2026 17:50

renovate Bot changed the title ~~chore(deps): update rust crate openssl to v0.10.78 [security]~~ chore(deps): update rust crate openssl to v0.10.79 [security] May 6, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update rust crate openssl to v0.10.79 [security]#166

chore(deps): update rust crate openssl to v0.10.79 [security]#166
renovate[bot] wants to merge 1 commit intomainfrom
renovate/crate-openssl-vulnerability

renovate Bot commented Feb 3, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Feb 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

rust-openssl ssl::select_next_proto use after free

Details

Impact

Patches

Workarounds

References

Severity

References

rust-openssl Use-After-Free in Md::fetch and Cipher::fetch

Details

Severity

References

rust-openssl: rustMdCtxRef::digest_final() writes past caller buffer with no length check

Details

Severity

References

rust-openssl: Unchecked callback length in PSK/cookie trampolines leaks adjacent memory to peer

Details

Severity

References

rust-openssl has incorrect bounds assertion in aes key wrap

Details

Summary

Details

Impact

Severity

References

rust-opennssl has an Out-of-bounds read in PEM password callback when returning an oversized length

Details

Severity

References

rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1

Details

Severity

References

rust-openssl has undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs

Details

Severity

References

Release Notes

What's Changed

What's Changed

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

What's Changed

New Contributors

What's Changed

New Contributors

v0.10.70: openssl v0.10.70

What's Changed

v0.10.69: openssl v0.10.69

What's Changed

New Contributors

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Feb 3, 2025 •

edited

Loading

rust-openssl Use-After-Free in `Md::fetch` and `Cipher::fetch`

`v0.10.70`: openssl v0.10.70

`v0.10.69`: openssl v0.10.69