Update Rust crate ring to 0.17.12 [SECURITY]#39
Open
renovate[bot] wants to merge 1 commit intomasterfrom
Open
Conversation
renovate
bot
force-pushed
the
renovate/crate-ring-vulnerability
branch
from
fe1f530 to
82e95a6
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/crate-ring-vulnerability
branch
from
82e95a6 to
6fe2032
Compare
renovate
bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.13.5→0.17.12GitHub Vulnerability Alerts
CVE-2025-4432
ring::aead::quic::HeaderProtectionKey::new_mask()may panic when overflow checking is enabled. In the QUIC protocol, an attacker can induce this panic by sending a specially-crafted packet. Even unintentionally it is likely to occur in 1 out of every 2**32 packets sent and/or received.On 64-bit targets operations using
ring::aead::{AES_128_GCM, AES_256_GCM}may panic when overflow checking is enabled, when encrypting/decrypting approximately 68,719,476,700 bytes (about 64 gigabytes) of data in a single chunk. Protocols like TLS and SSH are not affected by this because those protocols break large amounts of data into small chunks. Similarly, most applications will not attempt to encrypt/decrypt 64GB of data in one chunk.Overflow checking is not enabled in release mode by default, but
RUSTFLAGS="-C overflow-checks"oroverflow-checks = truein the Cargo.toml profile can override this. Overflow checking is usually enabled by default in debug mode.Release Notes
briansmith/ring (ring)
v0.17.12============================
Bug fix: #2447 for denial of service (DoS).
Fixes a panic in
ring::aead::quic::HeaderProtectionKey::new_mask()wheninteger overflow checking is enabled. In the QUIC protocol, an attacker can
induce this panic by sending a specially-crafted packet. Even unintentionally
it is likely to occur in 1 out of every 2**32 packets sent and/or received.
Fixes a panic on 64-bit targets in
ring::aead::{AES_128_GCM, AES_256_GCM}when overflow checking is enabled, when encrypting/decrypting approximately
68,719,476,700 bytes (about 64 gigabytes) of data in a single chunk. Protocols
like TLS and SSH are not affected by this because those protocols break large
amounts of data into small chunks. Similarly, most applications will not
attempt to encrypt/decrypt 64GB of data in one chunk.
Overflow checking is not enabled in release mode by default, but
RUSTFLAGS="-C overflow-checks"oroverflow-checks = truein the Cargo.tomlprofile can override this. Overflow checking is usually enabled by default in
debug mode.
v0.17.1============================
Support for aarch64-*-linux-uclibc targets was removed, as there do not seem to
be any such targets.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.