Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(deps): update boring requirement from 4.15.7 to 4.15.8 #467

Merged
merged 1 commit into from
Feb 24, 2025
Merged

Conversation

0x676e67
Copy link
Owner

@0x676e67 0x676e67 commented Feb 24, 2025

See sfackler/rust-openssl#2360 and https://nvd.nist.gov/vuln/detail/CVE-2025-24898. From the rust-openssl PR:

SSL_select_next_proto can return a pointer into either the client or server buffers, but the type signature of the function previously only bound the output buffer to the client buffer. This can result in a UAF in situations where the server slice does not point to a long-lived allocation.

Thanks to Matt Mastracci for reporting this issue.

@0x676e67 0x676e67 changed the title deps(boring): Fix lifetimes in ssl::select_next_proto build(deps): update boring requirement from 4.15.7 to 4.15.8 Feb 24, 2025
@0x676e67 0x676e67 merged commit f94c722 into master Feb 24, 2025
3 checks passed
@0x676e67 0x676e67 deleted the build branch February 24, 2025 03:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant