Skip to content

chore(deps): bump rustls-webpki from 0.103.11 to 0.103.13 in the cargo group across 1 directory#222

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/cargo/cargo-8056535635
Open

chore(deps): bump rustls-webpki from 0.103.11 to 0.103.13 in the cargo group across 1 directory#222
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/cargo/cargo-8056535635

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 21, 2026
edited
Loading

Bumps the cargo group with 1 update in the / directory: rustls-webpki.

Updates rustls-webpki from 0.103.11 to 0.103.13

Release notes

Sourced from rustls-webpki's releases.

0.103.13

  • Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gfr8. Users who don't use CRLs are not affected.
  • For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See rustls/webpki#471. This was a case missing in the fix for GHSA-965h-392x-2mh5.

What's Changed

Full Changelog: rustls/webpki@v/0.103.12...v/0.103.13

0.103.12

This release fixes two bugs in name constraint enforcement:

  • GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.
  • GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

Commits
  • 2879b2c Prepare 0.103.13
  • 2c49773 Improve tests for padding of BitStringFlags
  • 4e3c0b3 Correct validation of BIT STRING constraints
  • 39c91d2 Actually fail closed for URI matching against excluded subtrees
  • 27131d4 Bump version to 0.103.12
  • 6ecb876 Clean up stuttery enum variant names
  • 318b3e6 Ignore wildcard labels when matching name constraints
  • 1219622 Rewrite constraint matching to avoid permissive catch-all branch
  • See full diff in compare view

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 21, 2026

Labels

The following labels could not be found: dependencies, rust. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested a review from a team as a code owner April 21, 2026 11:36
@dependabot
chore(deps): bump rustls-webpki in the cargo group across 1 directory
27950fe 
Bumps the cargo group with 1 update in the / directory: [rustls-webpki](https://github.com/rustls/webpki).


Updates `rustls-webpki` from 0.103.11 to 0.103.13
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](rustls/webpki@v/0.103.11...v/0.103.13)

---
updated-dependencies:
- dependency-name: rustls-webpki
  dependency-version: 0.103.13
  dependency-type: indirect
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/cargo/cargo-8056535635 branch from 315f254 to 27950fe Compare April 23, 2026 14:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants