From 944213bc5dd8ac2d6a13e6da2b7ef48172ca936c Mon Sep 17 00:00:00 2001 From: openoms Date: Tue, 12 May 2026 12:02:26 +0200 Subject: [PATCH] fix: address rustls-webpki audit failures Upgrade fedimint-tonic-lnd to 0.4.0 with tls-ring so the LND client uses the patched rustls 0.23 stack, and update rustls-webpki 0.103.x to 0.103.13. Add the new rustls-webpki advisory to the existing audit ignore block for the remaining 0.101.x path still pulled through bdk/electrum-client. --- .cargo/audit.toml | 1 + Cargo.lock | 205 +++++++++++++++++++++++++++++----------------- Cargo.toml | 3 +- 3 files changed, 135 insertions(+), 74 deletions(-) diff --git a/.cargo/audit.toml b/.cargo/audit.toml index 0a8cdcda..8e8f6df3 100644 --- a/.cargo/audit.toml +++ b/.cargo/audit.toml @@ -5,4 +5,5 @@ ignore = [ # TODO: remove once electrum-client/bdk stops pulling rustls-webpki 0.101.7 "RUSTSEC-2026-0098", "RUSTSEC-2026-0099", + "RUSTSEC-2026-0104", ] diff --git a/Cargo.lock b/Cargo.lock index bd1ce79f..fd23fec7 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -224,7 +224,7 @@ dependencies = [ "http-body 0.4.6", "hyper 0.14.32", "itoa", - "matchit", + "matchit 0.7.3", "memchr", "mime", "percent-encoding", @@ -251,7 +251,7 @@ dependencies = [ "http-body 1.0.1", "http-body-util", "itoa", - "matchit", + "matchit 0.7.3", "memchr", "mime", "percent-encoding", @@ -264,6 +264,31 @@ dependencies = [ "tower-service", ] +[[package]] +name = "axum" +version = "0.8.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "31b698c5f9a010f6573133b09e0de5408834d0c82f8d7475a89fc1867a71cd90" +dependencies = [ + "axum-core 0.5.6", + "bytes", + "futures-util", + "http 1.4.0", + "http-body 1.0.1", + "http-body-util", + "itoa", + "matchit 0.8.4", + "memchr", + "mime", + "percent-encoding", + "pin-project-lite", + "serde_core", + "sync_wrapper 1.0.2", + "tower 0.5.3", + "tower-layer", + "tower-service", +] + [[package]] name = "axum-core" version = "0.3.4" @@ -301,6 +326,24 @@ dependencies = [ "tower-service", ] +[[package]] +name = "axum-core" +version = "0.5.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "08c78f31d7b1291f7ee735c1c6780ccde7785daae9a9206026862dab7d8792d1" +dependencies = [ + "bytes", + "futures-core", + "http 1.4.0", + "http-body 1.0.1", + "http-body-util", + "mime", + "pin-project-lite", + "sync_wrapper 1.0.2", + "tower-layer", + "tower-service", +] + [[package]] name = "base64" version = "0.13.1" @@ -1122,22 +1165,21 @@ checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be" [[package]] name = "fedimint-tonic-lnd" -version = "0.2.0" +version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df03ca33b5116de3051c1e233fe341e23b04c4913c7b16042497924559bc2a2e" +checksum = "544e07140e0b295035d28068a66ed752ada57762571ddbb3ac54124c3d9cc892" dependencies = [ "hex", - "http-body 0.4.6", - "hyper 0.14.32", - "hyper-rustls 0.24.2", - "prost 0.12.6", - "rustls 0.21.12", + "hyper 1.8.1", + "hyper-rustls", + "hyper-util", + "prost 0.13.5", + "rustls 0.23.37", "rustls-pemfile 1.0.4", "tokio", "tokio-stream", - "tonic 0.10.2", - "tonic-build 0.10.2", - "tower 0.4.13", + "tonic 0.13.1", + "tonic-build 0.13.1", ] [[package]] @@ -1645,20 +1687,6 @@ dependencies = [ "want", ] -[[package]] -name = "hyper-rustls" -version = "0.24.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ec3efd23720e2049821a693cbc7e65ea87c72f1c58ff2f9522ff332b1491e590" -dependencies = [ - "futures-util", - "http 0.2.12", - "hyper 0.14.32", - "rustls 0.21.12", - "tokio", - "tokio-rustls 0.24.1", -] - [[package]] name = "hyper-rustls" version = "0.27.7" @@ -1671,7 +1699,7 @@ dependencies = [ "rustls 0.23.37", "rustls-pki-types", "tokio", - "tokio-rustls 0.26.4", + "tokio-rustls", "tower-service", "webpki-roots 1.0.6", ] @@ -2121,6 +2149,12 @@ version = "0.7.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0e7465ac9959cc2b1404e8e2367b43684a6d13790fe23056cc8c6c5a6b7bcb94" +[[package]] +name = "matchit" +version = "0.8.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "47e1ffaa40ddd1f3ed91f717a33c8c0ee23fff369e3aa8772b9605cc1d22f4c3" + [[package]] name = "md-5" version = "0.10.6" @@ -2660,7 +2694,27 @@ dependencies = [ "petgraph 0.6.5", "prettyplease", "prost 0.12.6", - "prost-types", + "prost-types 0.12.6", + "regex", + "syn 2.0.117", + "tempfile", +] + +[[package]] +name = "prost-build" +version = "0.13.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "be769465445e8c1474e9c5dac2018218498557af32d9ed057325ec9a41ae81bf" +dependencies = [ + "heck", + "itertools 0.14.0", + "log", + "multimap", + "once_cell", + "petgraph 0.7.1", + "prettyplease", + "prost 0.13.5", + "prost-types 0.13.5", "regex", "syn 2.0.117", "tempfile", @@ -2701,6 +2755,15 @@ dependencies = [ "prost 0.12.6", ] +[[package]] +name = "prost-types" +version = "0.13.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "52c2c1bf36ddb1a1c396b3601a3cec27c2462e45f07c386894ec3ccf5332bd16" +dependencies = [ + "prost 0.13.5", +] + [[package]] name = "prost-wkt" version = "0.5.1" @@ -2724,8 +2787,8 @@ checksum = "598b7365952c2ed4e32902de0533653aafbe5ae3da436e8e2335c7d375a1cef3" dependencies = [ "heck", "prost 0.12.6", - "prost-build", - "prost-types", + "prost-build 0.12.6", + "prost-types 0.12.6", "quote", ] @@ -2737,8 +2800,8 @@ checksum = "1a8eadc2381640a49c1fbfb9f4a857794b4e5bf5a2cbc2d858cfdb74f64dcd22" dependencies = [ "chrono", "prost 0.12.6", - "prost-build", - "prost-types", + "prost-build 0.12.6", + "prost-types 0.12.6", "prost-wkt", "prost-wkt-build", "protobuf-src", @@ -3042,7 +3105,7 @@ dependencies = [ "http-body 1.0.1", "http-body-util", "hyper 1.8.1", - "hyper-rustls 0.27.7", + "hyper-rustls", "hyper-util", "js-sys", "log", @@ -3056,7 +3119,7 @@ dependencies = [ "serde_urlencoded", "sync_wrapper 1.0.2", "tokio", - "tokio-rustls 0.26.4", + "tokio-rustls", "tower 0.5.3", "tower-http", "tower-service", @@ -3241,10 +3304,11 @@ version = "0.23.37" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "758025cb5fccfd3bc2fd74708fd4682be41d99e5dff73c377c0646c6012c73a4" dependencies = [ + "log", "once_cell", "ring", "rustls-pki-types", - "rustls-webpki 0.103.9", + "rustls-webpki 0.103.13", "subtle", "zeroize", ] @@ -3289,9 +3353,9 @@ dependencies = [ [[package]] name = "rustls-webpki" -version = "0.103.9" +version = "0.103.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53" +checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e" dependencies = [ "ring", "rustls-pki-types", @@ -4252,16 +4316,6 @@ dependencies = [ "syn 2.0.117", ] -[[package]] -name = "tokio-rustls" -version = "0.24.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" -dependencies = [ - "rustls 0.21.12", - "tokio", -] - [[package]] name = "tokio-rustls" version = "0.26.4" @@ -4329,9 +4383,9 @@ dependencies = [ [[package]] name = "tonic" -version = "0.10.2" +version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d560933a0de61cf715926b9cac824d4c883c2c43142f787595e48280c40a1d0e" +checksum = "76c4eb7a4e9ef9d4763600161f12f5070b92a578e1b634db88a6887844c91a13" dependencies = [ "async-stream", "async-trait", @@ -4346,10 +4400,7 @@ dependencies = [ "percent-encoding", "pin-project", "prost 0.12.6", - "rustls 0.21.12", - "rustls-pemfile 1.0.4", "tokio", - "tokio-rustls 0.24.1", "tokio-stream", "tower 0.4.13", "tower-layer", @@ -4359,23 +4410,26 @@ dependencies = [ [[package]] name = "tonic" -version = "0.11.0" +version = "0.12.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "76c4eb7a4e9ef9d4763600161f12f5070b92a578e1b634db88a6887844c91a13" +checksum = "877c5b330756d856ffcc4553ab34a5684481ade925ecc54bcd1bf02b1d0d4d52" dependencies = [ "async-stream", "async-trait", - "axum 0.6.20", - "base64 0.21.7", + "axum 0.7.9", + "base64 0.22.1", "bytes", - "h2 0.3.27", - "http 0.2.12", - "http-body 0.4.6", - "hyper 0.14.32", - "hyper-timeout 0.4.1", + "h2 0.4.13", + "http 1.4.0", + "http-body 1.0.1", + "http-body-util", + "hyper 1.8.1", + "hyper-timeout 0.5.2", + "hyper-util", "percent-encoding", "pin-project", - "prost 0.12.6", + "prost 0.13.5", + "socket2 0.5.10", "tokio", "tokio-stream", "tower 0.4.13", @@ -4386,13 +4440,12 @@ dependencies = [ [[package]] name = "tonic" -version = "0.12.3" +version = "0.13.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "877c5b330756d856ffcc4553ab34a5684481ade925ecc54bcd1bf02b1d0d4d52" +checksum = "7e581ba15a835f4d9ea06c55ab1bd4dce26fc53752c69a04aac00703bfb49ba9" dependencies = [ - "async-stream", "async-trait", - "axum 0.7.9", + "axum 0.8.9", "base64 0.22.1", "bytes", "h2 0.4.13", @@ -4407,8 +4460,9 @@ dependencies = [ "prost 0.13.5", "socket2 0.5.10", "tokio", + "tokio-rustls", "tokio-stream", - "tower 0.4.13", + "tower 0.5.3", "tower-layer", "tower-service", "tracing", @@ -4416,26 +4470,27 @@ dependencies = [ [[package]] name = "tonic-build" -version = "0.10.2" +version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d021fc044c18582b9a2408cd0dd05b1596e3ecdb5c4df822bb0183545683889" +checksum = "be4ef6dd70a610078cb4e338a0f79d06bc759ff1b22d2120c2ff02ae264ba9c2" dependencies = [ "prettyplease", "proc-macro2", - "prost-build", + "prost-build 0.12.6", "quote", "syn 2.0.117", ] [[package]] name = "tonic-build" -version = "0.11.0" +version = "0.13.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "be4ef6dd70a610078cb4e338a0f79d06bc759ff1b22d2120c2ff02ae264ba9c2" +checksum = "eac6f67be712d12f0b41328db3137e0d0757645d8904b4cb7d51cd9c2279e847" dependencies = [ "prettyplease", "proc-macro2", - "prost-build", + "prost-build 0.13.5", + "prost-types 0.13.5", "quote", "syn 2.0.117", ] @@ -4481,11 +4536,15 @@ checksum = "ebe5ef63511595f1344e2d5cfa636d973292adc0eec1f0ad45fae9f0851ab1d4" dependencies = [ "futures-core", "futures-util", + "indexmap 2.13.0", "pin-project-lite", + "slab", "sync_wrapper 1.0.2", "tokio", + "tokio-util", "tower-layer", "tower-service", + "tracing", ] [[package]] diff --git a/Cargo.toml b/Cargo.toml index 88f1d420..aee57e8b 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -72,8 +72,9 @@ miniscript = "10.0" reqwest-retry = "0.5.0" reqwest-middleware = "0.3" governor = "0.8.1" -tonic_lnd = { version = "0.2.0", package = "fedimint-tonic-lnd", features = [ +tonic_lnd = { version = "0.4.0", package = "fedimint-tonic-lnd", features = [ "lightningrpc", + "tls-ring", ] } [dev-dependencies]