beyla icon indicating copy to clipboard operation
beyla copied to clipboard

Published 20 hours ago verified publisher icon grafana

chore(deps): update rust crate openssl to v0.10.72 [security]

Open renovate-sh-app[bot] opened this issue 2 weeks ago • 1 comments

This PR contains the following updates:

Package Type Update Change
openssl dependencies patch 0.10.66 -> 0.10.72

rust-openssl ssl::select_next_proto use after free

CVE-2025-24898 / GHSA-rpmj-rpgj-qmpm / RUSTSEC-2025-0004

More information

Details

Impact

ssl::select_next_proto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the server buffer's lifetime is shorter than the client buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client.

Patches

openssl 0.10.70 fixes the signature of ssl::select_next_proto to properly constrain the output buffer's lifetime to that of both input buffers.

Workarounds

In standard usage of ssl::select_next_proto in the callback passed to SslContextBuilder::set_alpn_select_callback, code is only affected if the server buffer is constructed within the callback. For example:

Not vulnerable - the server buffer has a 'static lifetime:

builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(b"\x02h2", client_protos).ok_or_else(AlpnError::NOACK)
});

Not vulnerable - the server buffer outlives the handshake:

let server_protos = b"\x02h2".to_vec();
builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});

Vulnerable - the server buffer is freed when the callback returns:

builder.set_alpn_select_callback(|_, client_protos| {
    let server_protos = b"\x02h2".to_vec();
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});
References

https://github.com/sfackler/rust-openssl/pull/2360

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

ssl::select_next_proto use after free

CVE-2025-24898 / GHSA-rpmj-rpgj-qmpm / RUSTSEC-2025-0004

More information

Details

In openssl versions before 0.10.70, ssl::select_next_proto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the server buffer's lifetime is shorter than the client buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client.

openssl 0.10.70 fixes the signature of ssl::select_next_proto to properly constrain the output buffer's lifetime to that of both input buffers.

In standard usage of ssl::select_next_proto in the callback passed to SslContextBuilder::set_alpn_select_callback, code is only affected if the server buffer is constructed within the callback. For example:

Not vulnerable - the server buffer has a 'static lifetime:

builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(b"\x02h2", client_protos).ok_or_else(AlpnError::NOACK)
});

Not vulnerable - the server buffer outlives the handshake:

let server_protos = b"\x02h2".to_vec();
builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});

Vulnerable - the server buffer is freed when the callback returns:

builder.set_alpn_select_callback(|_, client_protos| {
    let server_protos = b"\x02h2".to_vec();
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});

Severity

Unknown

References

This data is provided by OSV and the Rust Advisory Database (CC0 1.0).

Use-After-Free in Md::fetch and Cipher::fetch

GHSA-4fcv-w3qc-ppgg / RUSTSEC-2025-0022

More information

Details

When a Some(...) value was passed to the properties argument of either of these functions, a use-after-free would result.

In practice this would nearly always result in OpenSSL treating the properties as an empty string (due to CString::drop's behavior).

The maintainers thank quitbug for reporting this vulnerability to us.

Severity

Unknown

References

This data is provided by OSV and the Rust Advisory Database (CC0 1.0).

rust-openssl Use-After-Free in Md::fetch and Cipher::fetch

GHSA-4fcv-w3qc-ppgg / RUSTSEC-2025-0022

More information

Details

When a Some(...) value was passed to the properties argument of either of these functions, a use-after-free would result.

In practice this would nearly always result in OpenSSL treating the properties as an empty string (due to CString::drop's behavior).

The maintainers thank quitbug for reporting this vulnerability to us.

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

rust-openssl/rust-openssl (openssl)

v0.10.72

Compare Source

What's Changed

New Contributors

Full Changelog: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.71...openssl-v0.10.72

v0.10.71

Compare Source

What's Changed

New Contributors

Full Changelog: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.70...openssl-v0.10.71

v0.10.70: openssl v0.10.70

Compare Source

What's Changed

Full Changelog: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.69...openssl-v0.10.70

v0.10.69: openssl v0.10.69

Compare Source

What's Changed

New Contributors

Full Changelog: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.68...openssl-v0.10.69

v0.10.68

Compare Source

What's Changed

Full Changelog: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.67...openssl-v0.10.68

v0.10.67

Compare Source

What's Changed

New Contributors

Full Changelog: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.66...openssl-v0.10.67

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

renovate-sh-app[bot] avatar Nov 14 '25 09:11 renovate-sh-app[bot]

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests. :white_check_mark: Project coverage is 49.83%. Comparing base (7cc5581) to head (86f08fb).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2314      +/-   ##
==========================================
+ Coverage   43.30%   49.83%   +6.52%     
==========================================
  Files          38       38              
  Lines        2974     2974              
==========================================
+ Hits         1288     1482     +194     
+ Misses       1573     1343     -230     
- Partials      113      149      +36
Flag Coverage Δ
integration-test 16.76% <ø> (?)
integration-test-vm-${ARCH}-${KERNEL_VERSION} 0.00% <ø> (?)
k8s-integration-test 2.62% <ø> (?)
oats-test 0.00% <ø> (?)
unittests 43.30% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov-commenter avatar Nov 14 '25 10:11 codecov-commenter

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (0.10). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

renovate-sh-app[bot] avatar Nov 19 '25 00:11 renovate-sh-app[bot]