[PR #7115] [CLOSED] Bump rustls-webpki 0.103.11 to 0.103.12 #23414

New Issue

Closed

opened 2026-05-16 05:59:57 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-05-16 05:59:57 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/7115
Author: @ownrootops
Created: 4/21/2026
Status: ❌ Closed

Base: main ← Head: bump-rustls-webpki-0.103.12

---

📝 Commits (1)

• c71fd0d Bump rustls-webpki 0.103.11 to 0.103.12

📊 Changes

1 file changed (+3 additions, -3 deletions)

View changed files

📝 Cargo.lock (+3 -3)

📄 Description

This PR updates rustls-webpki from 0.103.11 to 0.103.12 in
Cargo.lock to address two advisories published on 2026-04-15:

• RUSTSEC-2026-0098 / GHSA-965h-392x-2mh5: URI name constraints
  were silently accepted instead of rejected.
• RUSTSEC-2026-0099 / GHSA-xgp8-3hg3-c2mh: permitted-subtree
  DNS name constraints were accepted for certificates asserting a
  wildcard name.

Both bugs are reachable only after signature verification and require
misissuance to exploit. Defense-in-depth fix.

The change was produced with cargo update -p rustls-webpki@0.103.11
and only Cargo.lock is modified. No other dependencies move.

Note on the second rustls-webpki copy

cargo audit also flags a second copy of rustls-webpki at 0.101.7,
pulled transitively via rocket 0.5.1 -> rustls 0.21.x. That copy
is not addressed here; resolving it requires a Rocket release
against a newer rustls tree, which is outside the scope of this PR.

References

• https://rustsec.org/advisories/RUSTSEC-2026-0098.html
• https://rustsec.org/advisories/RUSTSEC-2026-0099.html
• https://github.com/rustls/webpki/security/advisories/GHSA-965h-392x-2mh5
• https://github.com/rustls/webpki/security/advisories/GHSA-xgp8-3hg3-c2mh

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/7115 **Author:** [@ownrootops](https://github.com/ownrootops) **Created:** 4/21/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `bump-rustls-webpki-0.103.12` --- ### 📝 Commits (1) - [`c71fd0d`](https://github.com/dani-garcia/vaultwarden/commit/c71fd0d2dca634abfa850510f8cfc190d8282c59) Bump rustls-webpki 0.103.11 to 0.103.12 ### 📊 Changes **1 file changed** (+3 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `Cargo.lock` (+3 -3) </details> ### 📄 Description This PR updates `rustls-webpki` from 0.103.11 to 0.103.12 in `Cargo.lock` to address two advisories published on 2026-04-15: - **RUSTSEC-2026-0098** / GHSA-965h-392x-2mh5: URI name constraints were silently accepted instead of rejected. - **RUSTSEC-2026-0099** / GHSA-xgp8-3hg3-c2mh: permitted-subtree DNS name constraints were accepted for certificates asserting a wildcard name. Both bugs are reachable only after signature verification and require misissuance to exploit. Defense-in-depth fix. The change was produced with `cargo update -p rustls-webpki@0.103.11` and only `Cargo.lock` is modified. No other dependencies move. ### Note on the second `rustls-webpki` copy `cargo audit` also flags a second copy of `rustls-webpki` at 0.101.7, pulled transitively via `rocket 0.5.1` -> `rustls 0.21.x`. That copy is **not** addressed here; resolving it requires a Rocket release against a newer rustls tree, which is outside the scope of this PR. ### References - https://rustsec.org/advisories/RUSTSEC-2026-0098.html - https://rustsec.org/advisories/RUSTSEC-2026-0099.html - https://github.com/rustls/webpki/security/advisories/GHSA-965h-392x-2mh5 - https://github.com/rustls/webpki/security/advisories/GHSA-xgp8-3hg3-c2mh --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-05-16 05:59:57 -05:00

GiteaMirror closed this issue 2026-05-16 05:59:58 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.36.0

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#23414