Skip to content

build(deps): bump rustls-webpki from 0.103.10 to 0.103.12#520

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/cargo/rustls-webpki-0.103.12
Apr 21, 2026
Merged

build(deps): bump rustls-webpki from 0.103.10 to 0.103.12#520
github-actions[bot] merged 1 commit into
mainfrom
dependabot/cargo/rustls-webpki-0.103.12

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 21, 2026
edited
Loading

Bumps rustls-webpki from 0.103.10 to 0.103.12.

Release notes

Sourced from rustls-webpki's releases.

0.103.12

This release fixes two bugs in name constraint enforcement:

  • GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.
  • GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

Commits
  • 27131d4 Bump version to 0.103.12
  • 6ecb876 Clean up stuttery enum variant names
  • 318b3e6 Ignore wildcard labels when matching name constraints
  • 1219622 Rewrite constraint matching to avoid permissive catch-all branch
  • 57bc62c Bump version to 0.103.11
  • d0fa01e Allow parsing trust anchors with unknown criticial extensions
  • See full diff in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update Rust code labels Apr 21, 2026
@github-actions github-actions Bot enabled auto-merge April 21, 2026 09:08
@dependabot dependabot Bot force-pushed the dependabot/cargo/rustls-webpki-0.103.12 branch from 2a52c94 to 9bcdd93 Compare April 21, 2026 09:11
@dependabot
build(deps): bump rustls-webpki from 0.103.10 to 0.103.12
d041d25 
Bumps [rustls-webpki](https://github.com/rustls/webpki) from 0.103.10 to 0.103.12.
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](rustls/webpki@v/0.103.10...v/0.103.12)

---
updated-dependencies:
- dependency-name: rustls-webpki
  dependency-version: 0.103.12
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/cargo/rustls-webpki-0.103.12 branch from 9bcdd93 to d041d25 Compare April 21, 2026 09:14
@github-actions github-actions Bot merged commit f4448d4 into main Apr 21, 2026
3 checks passed
@dependabot dependabot Bot deleted the dependabot/cargo/rustls-webpki-0.103.12 branch April 21, 2026 09:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update Rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants