Bump rustls-webpki to patched version in lock files#565
Bump rustls-webpki to patched version in lock files#565jamillambert merged 1 commit intorust-bitcoin:masterfrom
rustls-webpki to patched version in lock files#565Conversation
jamillambert
left a comment
jamillambert
left a comment
There was a problem hiding this comment.
Should also update bitreq/Cargo.toml dependency to 0.103.13
tnull
force-pushed
the
2026-04-bump-rustls-webpki
branch
from
edae8e0 to
29f4db5
Compare
Ah, right, now amended. |
|
Maybe this needs rebase to get past CI after the feature guard fixes in #563 but I didn't look too closely. |
|
Hey @tnull forgive me for being retarded but I don't know what 'Co-Authored-By: HAL 9000' means. Is that just a funny joke or supposed to be a real thing to say you did this patch with an unamed LLM? (Or is there some tool using this joke for real?) |
RUSTSEC-2026-0104 reports a reachable DoS panic in `rustls-webpki` versions prior to `0.103.13` when parsing a CRL whose `IssuingDistributionPoint.onlySomeReasons` extension contains a syntactically valid empty `BIT STRING`. Bumping the pinned version in both checked-in lock files to `0.103.13` addresses the advisory. Co-Authored-By: HAL 9000 Signed-off-by: Elias Rohrer <dev@tnull.de>
tnull
force-pushed
the
2026-04-bump-rustls-webpki
branch
from
29f4db5 to
fe99e0d
Compare
|
FTR, we now have confirmation that the
Yes, this one. Rebased to make CI green. |
jamillambert
left a comment
jamillambert
left a comment
There was a problem hiding this comment.
ACK fe99e0d
No changes to the patch in this PR
4 participants
Fixes #567.
RUSTSEC-2026-0104 reports a reachable DoS panic in
rustls-webpkiversions prior to0.103.13when parsing a CRL whoseIssuingDistributionPoint.onlySomeReasonsextension contains a syntactically valid emptyBIT STRING. Bumping the pinned version in both checked-in lock files to0.103.13addresses the advisory.I suggest we leave this one open for another day to check if the cronjob will actually open an issue tonight.