From 34761ce0110860d9a73976c75075b91956b2675c Mon Sep 17 00:00:00 2001 From: Victor Garcia Date: Tue, 5 May 2026 12:57:24 +0200 Subject: [PATCH] chore(security): bump rustls-webpki + rand patch versions; ignore upstream-blocked hickory advisories MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes 3 RustSec vulnerabilities flagged by `cargo audit` and the CI Security Audit step, plus the rand unsoundness warning. Adds `.cargo/audit.toml` to document the 2 remaining hickory-proto advisories (both blocked on an iroh major bump, tracked as CHORE-iroh-bump). ## Bumps - `rustls-webpki` 0.103.10 → 0.103.13 (transitive via iroh-relay / reqwest / quinn / hickory-resolver). Closes: - RUSTSEC-2026-0098 (URI name constraints incorrectly accepted) - RUSTSEC-2026-0099 (wildcard cert name constraints accepted) - RUSTSEC-2026-0104 (CRL parsing panic) Patch bump within rustls's existing 0.103.x major; no API surface change. - `rand` 0.9.2 → 0.9.4 (direct dep in `forgetty-sync` and root `Cargo.toml`, also transitive via iroh chain). Closes the RUSTSEC-2026-0097 "rand unsound with custom logger using rand::rng()" warning. Patch bump within rand's existing 0.9.x major; the rand 0.10.x breaking-API migration is tracked separately as CHORE-rand-0.10-upgrade. `cargo audit` before this commit: 5 vulnerabilities, 5 warnings. After: 0 unignored vulnerabilities, 4 warnings (all unmaintained transitives that don't fail CI). ## .cargo/audit.toml Two hickory-proto advisories remain after the bumps. Both are transitive via `iroh 0.97.x → iroh-relay → hickory-resolver → hickory-proto 0.25.x`: - RUSTSEC-2026-0119 — CPU exhaustion via O(n²) DNS name compression. Fix available in hickory-proto >= 0.26.1; blocked on bumping iroh past 0.97.x (which pins hickory 0.25.x). Tracked as CHORE-iroh-bump. - RUSTSEC-2026-0118 — NSEC3 closest-encloser proof unbounded loop. NO upstream fix available as of 2026-05-05 (https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-3v94-mw7p-v465). Re-evaluate when hickory-dns ships a fix. Both are ignored with rationale comments in `.cargo/audit.toml`. The threat model for solo-dogfood use (LAN-only iroh pairing) makes neither exploitable in practice; they become higher-priority once forgetty has external users pairing devices over untrusted networks. ## Tests - cargo check --workspace: PASS - cargo build --release: PASS (implicit via cargo check) - cargo test --workspace --exclude forgetty-gtk: PASS (203 tests; same as pre-bump baseline) - cargo audit: exits 0 (was: exit 1 with 5 vulnerabilities) ## Files - Cargo.lock +15 -15 (rustls-webpki + rand bumps) - .cargo/audit.toml +30 -0 (new file; ignore list with rationale for the 2 remaining hickory advisories) ## Supersedes - PR #32 (rustls-webpki 0.103.10 → 0.103.13) — same bump, closed in favour of this consolidated commit - PR #33 (rand 0.9.2 → 0.9.3) — same bump but to 0.9.4 (one patch newer); closed in favour of this consolidated commit --- .cargo/audit.toml | 31 +++++++++++++++++++++++++++++++ Cargo.lock | 30 +++++++++++++++--------------- 2 files changed, 46 insertions(+), 15 deletions(-) create mode 100644 .cargo/audit.toml diff --git a/.cargo/audit.toml b/.cargo/audit.toml new file mode 100644 index 0000000..e5cc873 --- /dev/null +++ b/.cargo/audit.toml @@ -0,0 +1,31 @@ +# cargo-audit / rustsec/audit-check@v2 configuration +# +# Each ignore MUST have a comment with (a) why it's ignored, (b) what would +# trigger re-evaluation. Audit this file every time we bump iroh or hickory. +# +# Last reviewed: 2026-05-05 (post-P-018 merge). + +[advisories] +ignore = [ + # ----- hickory-proto (transitive via iroh-relay → hickory-resolver) ----- + # + # RUSTSEC-2026-0119 — CPU exhaustion via O(n²) DNS name compression during + # message encoding. Fix available in hickory-proto >= 0.26.1, but iroh + # 0.97.x pins hickory-proto 0.25.x. Bumping iroh to a release that pulls + # hickory 0.26+ is tracked as CHORE-iroh-bump in BACKLOG.md. + # + # Threat-model note: would require an attacker who can return crafted + # DNS responses for iroh relay name resolution. Low realistic exposure + # for forgetty's solo-dogfood use case (LAN pairing); higher once + # external users pair devices over untrusted networks. + "RUSTSEC-2026-0119", + + # RUSTSEC-2026-0118 — NSEC3 closest-encloser proof validation enters an + # unbounded loop on cross-zone responses. NO upstream fix available + # (https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-3v94-mw7p-v465). + # Re-evaluate when hickory-dns ships a fix. + # + # Threat-model note: same as above — DNSSEC validation path during iroh + # relay resolution. + "RUSTSEC-2026-0118", +] diff --git a/Cargo.lock b/Cargo.lock index dc62b24..dfd775d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -969,7 +969,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" dependencies = [ "libc", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -1445,7 +1445,7 @@ dependencies = [ "log", "rustversion", "windows-link 0.1.3", - "windows-result 0.4.1", + "windows-result 0.3.4", ] [[package]] @@ -1990,7 +1990,7 @@ dependencies = [ "js-sys", "log", "wasm-bindgen", - "windows-core 0.62.2", + "windows-core 0.61.2", ] [[package]] @@ -2391,7 +2391,7 @@ checksum = "3640c1c38b8e4e43584d8df18be5fc6b0aa314ce6ebf51b53313d4306cca8e46" dependencies = [ "hermit-abi", "libc", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -3617,9 +3617,9 @@ checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf" [[package]] name = "rand" -version = "0.9.2" +version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1" +checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea" dependencies = [ "rand_chacha", "rand_core", @@ -3827,7 +3827,7 @@ dependencies = [ "errno", "libc", "linux-raw-sys", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -3857,9 +3857,9 @@ dependencies = [ [[package]] name = "rustls-webpki" -version = "0.103.10" +version = "0.103.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef" +checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e" dependencies = [ "ring", "rustls-pki-types", @@ -3906,7 +3906,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5b55fb86dfd3a2f5f76ea78310a88f96c4ea21a3031f8d212443d56123fd0521" dependencies = [ "libc", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -4284,10 +4284,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd" dependencies = [ "fastrand", - "getrandom 0.3.4", + "getrandom 0.4.2", "once_cell", "rustix", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -5050,7 +5050,7 @@ version = "0.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22" dependencies = [ - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -5575,8 +5575,8 @@ dependencies = [ "log", "serde", "thiserror 2.0.18", - "windows 0.62.2", - "windows-core 0.62.2", + "windows 0.61.3", + "windows-core 0.61.2", ] [[package]]