chore(deps): refresh manifests + lockfile, fold in criterion/rustls-pemfile/paste migrations#1259
Merged
Merged
Conversation
Closes Dependabot security alerts via openssl 0.10.78 -> 0.10.80: - GHSA-xp3w-r5p5-63rr / CVE-2026-42327 (HIGH): UB in openssl X509Ref::ocsp_responders - GHSA-xv59-967r-8726 / CVE-2026-44662 (MEDIUM): openssl AES key-wrap-with-padding overflow Neither affected API is reached by sozu's build: no X509Ref::ocsp_responders use anywhere; rustls-openssl 0.3.x wires only aes_{128,256}_gcm and chacha20_poly1305 -- no AES key-wrap-with-padding (lib/src/crypto.rs). Manifest floor tightens (7 entries that had drifted one patch behind crates.io): - flate2 ^1.1 -> ^1.1.9 - libc ^0.2.185 -> ^0.2.186 - nix ^0.31.2 -> ^0.31.3 - criterion ^0.5.1 -> ^0.8.2 (also requires the bench-side black_box swap below) - rustls-openssl ^0.3.0 -> ^0.3.1 - rustls ^0.23.38 -> ^0.23.40 - tokio ^1.52.1 -> ^1.52.3 - libfuzzer-sys "0.4" -> "^0.4.12" (fuzz/Cargo.toml) Lockfile refreshed via cargo update: includes openssl/openssl-sys/rustls/ rustls-openssl/aws-lc-rs/tokio/h2 and ~25 transitive bumps plus two new version slots (itertools 0.13.0, wit-bindgen 0.57.1). No MSRV impact -- all movers declare MSRV <= 1.88.0. Folded-in code change for the criterion 0.8 bump: - lib/benches/header_formatting.rs: criterion::black_box -> std::hint::black_box (criterion 0.8 deprecates the re-export; std::hint::black_box is signature-compatible so the 38 existing call sites are unchanged). Note: the rustls-pemfile -> rustls_pki_types::PrivateKeyDer::from_pem_slice migration and the paste removal (clearing RUSTSEC-2025-0134 / RUSTSEC-2024-0436) landed independently on main between the time this branch was forked and when it was rebased; the CHANGELOG records both since they are user-visible in v2.0.0. Deferred to a separate PR: nom 7 -> 8 (~2,888 LOC parser rewrite touching the H2 frame parser; risk profile incompatible with a dep refresh PR). Validation on the rebased tree: cargo build --locked (defaults + crypto-openssl), cargo test -p sozu-lib --no-default-features --features crypto-openssl,opentelemetry,splice,simd (590 passed). Full six-cell matrix gated by CI on the push. Refs: https://github.com/sozu-proxy/sozu/security/dependabot/46 https://github.com/sozu-proxy/sozu/security/dependabot/47 https://rustsec.org/advisories/RUSTSEC-2024-0436 https://rustsec.org/advisories/RUSTSEC-2025-0134 Signed-off-by: Florentin Dubois <florentin.dubois@clever.cloud>
FlorentinDUBOIS
force-pushed
the
chore/deps-refresh
branch
from
e6487e7 to
407a8b0
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Refreshes sozu's workspace dependency declarations and lockfile to match crates.io latest, folds in three low-risk migrations, and closes four security/maintenance advisories in one PR.
Closes
GHSA-xp3w-r5p5-63rr/CVE-2026-42327(HIGH) — opensslX509Ref::ocsp_respondersUB on non-UTF-8 OCSP URLs. Auto-closes Dependabot alert Implement Forwarded header parsing and writing according to specification #46 on merge.GHSA-xv59-967r-8726/CVE-2026-44662(MEDIUM) — openssl heap overflow on AES key-wrap-with-padding. Auto-closes Dependabot alert Group dumped configuration in one message #47 on merge.RUSTSEC-2024-0436—pasteunmaintained → replaced withpastey(drop-in fork).RUSTSEC-2025-0134—rustls-pemfileunmaintained → migrated torustls_pki_types::PrivateKeyDer::from_pem_slice(already in our tree transitively via rustls).Neither openssl-affected API is reached by sozu's build: no
X509Ref::ocsp_respondersuse anywhere;rustls-openssl 0.3.xwires onlyaes_{128,256}_gcm/chacha20_poly1305— no AES key-wrap-with-padding. The openssl bump is a hygiene fix (seelib/src/crypto.rs:84-98/:104-115). After merge,cargo auditreturns clean (zero warnings).What changes
Manifests (5 files, 11 edits)
Cargo.toml— 7 floor tightens (flate2 ^1.1 → ^1.1.9,libc 0.2.185 → 0.2.186,nix 0.31.2 → 0.31.3,criterion 0.5.1 → 0.8.2,rustls-openssl 0.3.0 → 0.3.1,rustls 0.23.38 → 0.23.40,tokio 1.52.1 → 1.52.3) + 1 line removal (rustls-pemfile).lib/Cargo.toml— droprustls-pemfileworkspace inheritor.e2e/Cargo.toml—paste = "1.0"→pastey = "^0.2.3".fuzz/Cargo.toml—libfuzzer-sys "0.4" → "^0.4.12".Cargo.lock+fuzz/Cargo.lock— refreshed viacargo update(32 transitive movers + 2 added version slotsitertools 0.13.0,wit-bindgen 0.57.1, plus criterion 0.8 dep fan-out).40 of 53 workspace deps were already at the latest crates.io patch — no edit needed.
Source migrations (5 files)
lib/benches/header_formatting.rs:9—criterion::black_box→std::hint::black_box(38 call sites are signature-compatible; only the import changes).lib/src/tls.rs:160-170—rustls_pemfile::read_one+Pkcs1Key/Pkcs8Key/Sec1Keymatch → singlePrivateKeyDer::from_pem_slicecall. Byte-for-byte parse equivalent.lib/src/crypto.rs:407-413— same migration.lib/benches/crypto_provider.rs:38-54— same migration (third pemfile call site).e2e/src/tests/protocol_pair_matrix.rs:105—paste::paste!→pastey::paste!(drop-in macro).CHANGELOG.md —
### 🔐 Security+### 🔄 Changedsub-blocks under[Unreleased].Deferred (separate PR)
chore/nom-8-migration—nom 7 → 8. Parser API rewrite across ~2,888 LOC including the security-sensitive H2 frame parser atlib/src/protocol/mux/parser.rs. Medium-high risk; deserves its own fuzz + e2e validation cycle.MSRV
Unchanged at 1.88.0. All movers declare MSRV ≤ 1.88; highest mover MSRV is
wasip2 1.0.3at 1.87.Test plan
Locally validated on
chore/deps-refresh:cargo build --locked(defaults baseline)cargo build --locked --no-default-features --features crypto-ring,opentelemetry,splice,simdcargo build --locked --no-default-features --features crypto-aws-lc-rs,opentelemetry,splice,simdcargo build --locked --no-default-features --features crypto-openssl,opentelemetry,splice,simdcargo build --locked --no-default-features --features fips,opentelemetry,splice,simdcargo clippy --all-targets --locked --no-default-features --features crypto-openssl,opentelemetry,splice,simd -- -D warningscargo test -p sozu-lib …— 559 tests passed, 0 failedcargo test -p sozu-e2e … -- --skip tests::fuzz_tests::— 362 tests passed, 0 failed, 1 ignored (the knowntest_tls_1_2_ecdsa_openssl_regression_probe, pre-existing, unrelated)cargo bench --package sozu-lib --no-run— exercises criterion 0.8 + the third pemfile site atcrypto_provider.rscargo +nightly fmt --all -- --check— cleancargo audit— zero warnings (both RUSTSEC entries cleared)(cd fuzz && cargo +nightly fuzz build)— skipped locally (dev box missinggcc-c++;libfuzzer-sys 0.4.12is a manifest tighten only — CI has the C++ toolchain and will validate the link step)Refs