Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update openssl to 0.10.70 per cargo deny advisories suggestion #1864

Merged
merged 3 commits into from
Feb 4, 2025

Conversation

elizabethengelman
Copy link
Contributor

What

Update openssl to 0.10.70

Why

cargo deny check advisories is currently failing with the following vulnerability error:

error[vulnerability]: ssl::select_next_proto use after free
    ┌─ /stellar/stellar-cli/Cargo.lock:289:1
    │
289 │ openssl 0.10.68 registry+https://github.com/rust-lang/crates.io-index
    │ --------------------------------------------------------------------- security vulnerability detected
    │
    = ID: RUSTSEC-2025-0004
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0004
    = In `openssl` versions before `0.10.70`, `ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the `client` argument. In situations where the `server` buffer's lifetime is shorter than the `client` buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client.
...
    = Announcement: https://github.com/sfackler/rust-openssl/security/advisories/GHSA-rpmj-rpgj-qmpm
    = Solution: Upgrade to >=0.10.70 (try `cargo update -p openssl`)
    = openssl v0.10.68
      └── native-tls v0.2.12
          ├── hyper-tls v0.6.0
          │   └── reqwest v0.12.7
          │       ├── soroban-cli v22.2.0
          │       │   ├── soroban-test v22.2.0
          │       │   └── stellar-cli v22.2.0
          │       ├── stellar-ledger v22.2.0
          │       └── testcontainers v0.20.1
          │           └── (dev) stellar-ledger v22.2.0 (*)
          ├── reqwest v0.12.7 (*)
          └── tokio-native-tls v0.3.1
              ├── hyper-tls v0.6.0 (*)
              └── reqwest v0.12.7 (*)

Known limitations

[TODO or N/A]

@elizabethengelman elizabethengelman enabled auto-merge (squash) February 3, 2025 23:05
@elizabethengelman elizabethengelman merged commit 9580305 into main Feb 4, 2025
25 checks passed
@elizabethengelman elizabethengelman deleted the update-openssl branch February 4, 2025 16:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

2 participants