Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps,security): update rustls to v0.21.11 #4993

Merged
merged 1 commit into from
Apr 20, 2024
Merged

chore(deps,security): update rustls to v0.21.11 #4993

merged 1 commit into from
Apr 20, 2024

Conversation

tninesling
Copy link
Contributor

@tninesling tninesling commented Apr 19, 2024
edited by abernix

Important

Read below for important details. While the Router is unaffected, this patch will be applied in Router v1.45.0 which will release on Monday, April 22, 2024.

While the Router does use rustls, RUSTSEC-2024-0336 (also known as CVE-2024-32650 and GHSA-6g7w-8wpp-frhj) DOES NOT affect the Router since it uses tokio-rustls which is specifically called out in the advisory as unaffected.

Despite the lack of impact, we update rustls version v0.21.10 to rustls v0.21.11 which includes a patch.

@router-perf
Copy link

router-perf bot commented Apr 19, 2024

CI performance tests

  • reload - Reload test over a long period of time at a constant rate of users
  • events_big_cap_high_rate_callback - Stress test for events with a lot of users, deduplication enabled and high rate event with a big queue capacity using callback mode
  • events_without_dedup_callback - Stress test for events with a lot of users and deduplication DISABLED using callback mode
  • large-request - Stress test with a 1 MB request payload
  • const - Basic stress test that runs with a constant number of users
  • no-graphos - Basic stress test, no GraphOS.
  • step-jemalloc-tuning - Clone of the basic stress test for jemalloc tuning
  • events - Stress test for events with a lot of users and deduplication ENABLED
  • events_callback - Stress test for events with a lot of users and deduplication ENABLED in callback mode
  • events_big_cap_high_rate - Stress test for events with a lot of users, deduplication enabled and high rate event with a big queue capacity
  • events_without_dedup - Stress test for events with a lot of users and deduplication DISABLED
  • xxlarge-request - Stress test with 100 MB request payload
  • xlarge-request - Stress test with 10 MB request payload
  • step - Basic stress test that steps up the number of users over time

abernix
abernix approved these changes Apr 20, 2024
View reviewed changes
Copy link
Member

@abernix abernix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@abernix abernix changed the title Bump rustls version chore(deps,security): update rustls to v0.21.11 // CVE-2024-32650 Apr 20, 2024
@abernix abernix changed the title chore(deps,security): update rustls to v0.21.11 // CVE-2024-32650 chore(deps,security): update rustls to v0.21.11 Apr 20, 2024
@abernix abernix merged commit 8cfb485 into 1.45.0 Apr 20, 2024
13 checks passed
@abernix abernix deleted the tninesling/bump-rustls branch April 20, 2024 11:18
@abernix abernix mentioned this pull request Apr 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abernix abernix abernix approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tninesling @abernix