From f31e27768ade19388eb2af202a86d61a7451ee69 Mon Sep 17 00:00:00 2001 From: Weston Pace Date: Mon, 27 Apr 2026 17:56:10 -0700 Subject: [PATCH] fix: address RUSTSEC-2026-0104 cargo-deny advisory (#3326) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - Update `rustls-webpki` 0.103.10 → 0.103.13 to fix RUSTSEC-2026-0104 (reachable panic in CRL parsing) - Add advisory ignore for the legacy `rustls-webpki` 0.101.7 copy pinned to the aws-smithy/rustls 0.21 chain (same chain already exempted for RUSTSEC-2026-0098/0099) Fixes the `deny` CI job failure seen in #3325. ## Test plan - [x] `cargo deny check advisories` passes locally 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.6 (1M context) --- Cargo.lock | 6 +++--- deny.toml | 6 ++++++ 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 42ad17f65..a6825a4b1 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -6980,7 +6980,7 @@ dependencies = [ "once_cell", "ring", "rustls-pki-types", - "rustls-webpki 0.103.10", + "rustls-webpki 0.103.13", "subtle", "zeroize", ] @@ -7028,9 +7028,9 @@ dependencies = [ [[package]] name = "rustls-webpki" -version = "0.103.10" +version = "0.103.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef" +checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e" dependencies = [ "aws-lc-rs", "ring", diff --git a/deny.toml b/deny.toml index a2542235d..85231f920 100644 --- a/deny.toml +++ b/deny.toml @@ -83,6 +83,12 @@ ignore = [ # https://rustsec.org/advisories/RUSTSEC-2026-0099 { id = "RUSTSEC-2026-0098", reason = "only affects rustls-webpki 0.101 from legacy aws-smithy/rustls 0.21 chain" }, { id = "RUSTSEC-2026-0099", reason = "only affects rustls-webpki 0.101 from legacy aws-smithy/rustls 0.21 chain" }, + + # rustls-webpki 0.101.7: reachable panic in CRL parsing. Same legacy + # rustls 0.21 chain from aws-smithy-http-client as above. The 0.103 line + # we actively use is upgraded to 0.103.13 which contains the fix. + # https://rustsec.org/advisories/RUSTSEC-2026-0104 + { id = "RUSTSEC-2026-0104", reason = "only affects rustls-webpki 0.101 from legacy aws-smithy/rustls 0.21 chain" }, ] # ---------------------------------------------------------------------------