Title: chore(deps): Bump rustls-webpki from 0.103.9 to 0.103.13 by dependabot[bot] · Pull Request #66 · SocketDev/socket-patch · GitHub
Open Graph Title: chore(deps): Bump rustls-webpki from 0.103.9 to 0.103.13 by dependabot[bot] · Pull Request #66 · SocketDev/socket-patch
X Title: chore(deps): Bump rustls-webpki from 0.103.9 to 0.103.13 by dependabot[bot] · Pull Request #66 · SocketDev/socket-patch
Description: Bumps rustls-webpki from 0.103.9 to 0.103.13.
Release notes
Sourced from rustls-webpki's releases.
0.103.13
Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gfr8. Users who don't use CRLs are not affected.
For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See rustls/webpki#471. This was a case missing in the fix for GHSA-965h-392x-2mh5.
What's Changed
Actually fail closed for URI matching against excluded subtrees by @djc in rustls/webpki#473
Prepare 0.103.13 by @ctz in rustls/webpki#474
Full Changelog: rustls/webpki@v/0.103.12...v/0.103.13
0.103.12
This release fixes two bugs in name constraint enforcement:
GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.
GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.
Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.
What's Changed
Prepare 0.103.12 by @djc in rustls/webpki#470
Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12
0.103.11
In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.
What's Changed
Backport parsing trust anchors with unknown critical extensions to 0.103 by @djc in rustls/webpki#466
0.103.10
Correct selection of candidate CRLs by Distribution Point and Issuing Distribution Point. If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored.
The impact was that correctly provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates.
This vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)
More likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.
This vulnerability is identified by GHSA-pwjx-qhcg-rvj4. Thank you to @1seal for the report.
What's Changed
Freshen up rel-0.103 by @ctz in rustls/webpki#455
Prepare 0.103.10 by @ctz in rustls/webpki#458
Full Changelog: rustls/webpki@v/0.103.9...v/0.103.10
Commits
2879b2c Prepare 0.103.13
2c49773 Improve tests for padding of BitStringFlags
4e3c0b3 Correct validation of BIT STRING constraints
39c91d2 Actually fail closed for URI matching against excluded subtrees
27131d4 Bump version to 0.103.12
6ecb876 Clean up stuttery enum variant names
318b3e6 Ignore wildcard labels when matching name constraints
1219622 Rewrite constraint matching to avoid permissive catch-all branch
57bc62c Bump version to 0.103.11
d0fa01e Allow parsing trust anchors with unknown criticial extensions
Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show
Open Graph Description: Bumps rustls-webpki from 0.103.9 to 0.103.13. Release notes Sourced from rustls-webpki's releases. 0.103.13 Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gf...
X Description: Bumps rustls-webpki from 0.103.9 to 0.103.13. Release notes Sourced from rustls-webpki's releases. 0.103.13 Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2c...
Opengraph URL: https://github.com/SocketDev/socket-patch/pull/66
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:636b9e79-36aa-7433-5a2e-ba704eaea4f2 |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | 8A4E:C3948:3777AF9:4CA610D:6A4F3F8F |
| html-safe-nonce | db0a129f1395ecd576e2871cc5add000cdb50403a6bce037b3caa31337aacc0f |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4QTRFOkMzOTQ4OjM3NzdBRjk6NENBNjEwRDo2QTRGM0Y4RiIsInZpc2l0b3JfaWQiOiIyNjEwODMwMzg2NzM3OTIxOTM1IiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | 2e41e2c6ca7592ce2e15db1b8e69a2d1b621d9559dc1e5cb1423ba01fc44b5c8 |
| hovercard-subject-tag | pull_request:3580483311 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/SocketDev/socket-patch/pull/66/files |
| twitter:image | https://avatars.githubusercontent.com/in/29110?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/in/29110?s=400&v=4 |
| og:image:alt | Bumps rustls-webpki from 0.103.9 to 0.103.13. Release notes Sourced from rustls-webpki's releases. 0.103.13 Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gf... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | b92d11c0aa4a77d54ef4af1078b6a15fb5a70a215b30c4ecf28889d5a8e656d9 |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/SocketDev/socket-patch git https://github.com/SocketDev/socket-patch.git |
| octolytics-dimension-user_id | 69326764 |
| octolytics-dimension-user_login | SocketDev |
| octolytics-dimension-repository_id | 1093661456 |
| octolytics-dimension-repository_nwo | SocketDev/socket-patch |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 1093661456 |
| octolytics-dimension-repository_network_root_nwo | SocketDev/socket-patch |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 4b249b445842943ed31549e027f57a8ade9881ed |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width