Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): bump the cargo group across 1 directory with 12 updates #3

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): bump the cargo group across 1 directory with 12 updates #3

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Jul 22, 2024

Bumps the cargo group with 11 updates in the / directory:

Package From To
tokio 1.20.1 1.20.4
rustls 0.21.3 0.21.5
openssl 0.10.41 0.10.66
remove_dir_all 0.7.0 0.8.0
rsa 0.9.2 0.9.6
whoami 1.2.1 1.5.0
borsh 0.10.2 0.10.3
bumpalo 3.10.0 3.16.0
mio 0.8.4 0.8.8
rustix 0.35.7 0.35.16
rustls-webpki 0.101.1 0.101.6

Updates tokio from 1.20.1 to 1.20.4

Release notes

Sourced from tokio's releases.

Tokio v1.20.2

1.20.2 (September 27, 2022)

This release removes the dependency on the once_cell crate to restore the MSRV of the 1.20.x LTS release. (#5048)

#5048: tokio-rs/tokio#5048

Commits
  • f3ce29a chore: prepare Tokio v1.20.4 release
  • 0d8fe5f Merge branch 'tokio-1.18.x' into tokio-1.20.x
  • 171ce0f chore: prepare Tokio v1.18.5 release
  • d6ea7a7 Add T: Unpin bound to ReadHalf::unsplit
  • ba81945 chore: prepare Tokio 1.20.3 release
  • 763bdc9 ci: run WASI tasks using latest Rust
  • 9f98535 Merge remote-tracking branch 'origin/tokio-1.18.x' into fix-named-pipes-1.20
  • 9241c3e chore: prepare Tokio v1.18.4 release
  • 699573d net: fix named pipes server configuration builder
  • 3d95a46 chore: prepare Tokio v1.20.2 (#5055)
  • Additional commits viewable in compare view

Updates rustls from 0.21.3 to 0.21.5

Commits
  • b1808ac cargo: prepare 0.21.5 release.
  • 6ff5b77 Revert "Take IntoIterator in add_parsable_certificates()"
  • f613c9f cargo: prepare 0.21.4 release.
  • 11e9386 Prepare to move release notes to github releases
  • 4a9f375 RELEASING.md: restructure, use github releases
  • 7924f00 Take IntoIterator in add_parsable_certificates()
  • 6fedb35 client: with_single_cert -> with_client_auth_cert
  • 208d767 deps: update webpki-roots 0.23.0 -> 0.24.0
  • da5be06 error: use automatic link for RFC 5280 ref.
  • 3e90954 lib: export CertRevocationListError enum.
  • See full diff in compare view

Updates openssl from 0.10.41 to 0.10.66

Release notes

Sourced from openssl's releases.

openssl-v0.10.66

What's Changed

Full Changelog: sfackler/rust-openssl@openssl-v0.10.65...openssl-v0.10.66

openssl-v0.10.65

What's Changed

New Contributors

Full Changelog: sfackler/rust-openssl@openssl-v0.10.64...openssl-v0.10.65

openssl-v0.10.64

What's Changed

... (truncated)

Commits
  • ad70a0b Merge pull request #2267 from alex/bump-for-release
  • 5ce473b Release openssl v0.10.66
  • aef36e0 Merge pull request #2266 from alex/mem-bio-invariant
  • 142deef Fixed invariant violation in MemBio::get_buf with empty results
  • 32f150b Merge pull request #2265 from alex/bump-for-release
  • 98addd2 Release openssl v0.10.65 and openssl-sys v0.9.103
  • 7c7958d Merge pull request #2262 from alex/pkey-api
  • d7b12cc Switch Pkey::from_ to use set1 functions
  • 22ffa9a Merge pull request #2258 from sfackler/init-md
  • 9de3794 Initialize OpenSSL in MD constructors
  • Additional commits viewable in compare view

Updates remove_dir_all from 0.7.0 to 0.8.0

Changelog

Sourced from remove_dir_all's changelog.

0.8.0

Security changes

  • Fix TOCTOU race conditions both inside the implementation of functions and the contract: functions now only operate on directories. Callers wanting to process the contents of a symlink (e.g. for remove_dir_contents) should resolve the symlink themselves. This is an API break from 0.7.0, but the previous behaviour was insecure.

    This is due to the same code pattern as caused CVE-2022-21658 in Rust itself: it was possible to trick a privileged process doing a recursive delete in an attacker controlled directory into deleting privileged files, on all operating systems.

    For instance, consider deleting a tree called 'etc' in a parent directory called 'p'. Between calling remove_dir_all("a") and remove_dir_all("a") actually starting its work, the attacker can move 'p' to 'p-prime', and replace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc' which is actually /etc, and now your system is broken. There are some mitigations for this exact scenario, such as CWD relative file lookup, but they are not guaranteed - any code using absolute paths will not have that protection in place.

    The same attack could be performed at any point in the directory tree being deleted: if 'a' contains a child directory called 'etc', attacking the deletion by replacing 'a' with a link is possible.

    The new code in this release mitigates the attack within the directory tree being deleted by using file-handle relative operations: to open 'a/etc', the path 'etc' relative to 'a' is opened, where 'a' is represented by a file descriptor (Unix) or handle (Windows). With the exception of the entry points into the directory deletion logic, this is robust against manipulation of the directory hierarchy, and remove_dir_all will only delete files and directories contained in the tree it is deleting.

    The entry path however is a challenge - as described above, there are some potential mitigations, but since using them must be done by the calling code, it is hard to be confident about the security properties of the path based interface.

    The new extension trait RemoveDir provides an interface where it is much harder to get it wrong.

    somedir.remove_dir_contents("name-of-child").

    Callers can then make their own security evaluation about how to securely get a directory handle. That is still not particularly obvious, and we're going to follow up with a helper of some sort (probably in the fs_at crate). Once that is available, the path based entry points will get deprecated.

... (truncated)

Commits

Updates rsa from 0.9.2 to 0.9.6

Changelog

Sourced from rsa's changelog.

0.9.6 (2023-12-01)

Added

  • expose a pss::get_default_pss_signature_algo_id helper (#393)
  • expose pkcs1v15::RsaSignatureAssociatedOid (#392)

#392: RustCrypto/RSA#392 #393: RustCrypto/RSA#393

0.9.5 (2023-11-27)

Added

  • Adds RsaPrivateKey::from_primes and RsaPrivateKey::from_p_q methods (#386)

#386: RustCrypto/RSA#386

0.9.4 (2023-11-20)

Added

  • Deterministic implementation of prime factors recovery (#380)

#380: RustCrypto/RSA#380

0.9.3 (2023-10-26)

Added

  • PKCS#8/SPKI decoding trait impls for pkcs1v15 keys (#346)
  • hazmat feature as a replacement for expose-internals (#352)

Changed

  • Bump serde dependency to 1.0.184 (#360)

Removed

  • Unused dependencies (#357)

#346: RustCrypto/RSA#346 #352: RustCrypto/RSA#352 #357: RustCrypto/RSA#357 #360: RustCrypto/RSA#360

Commits

Updates whoami from 1.2.1 to 1.5.0

Changelog

Sourced from whoami's changelog.

[1.5.0] - 2024-03-03

Added

  • WASI support
  • Redox support
  • Fallible functions
    • whoami::fallible::devicename()
    • whoami::fallible::devicename_os()
    • whoami::fallible::distro()
    • whoami::fallible::hostname() - notably doesn't normalize to lowercase
    • whoami::fallible::realname()
    • whoami::fallible::realname_os()
    • whoami::fallible::username()
    • whoami::fallible::username_os()
  • whoami::Language
  • whoami::Country
  • whoami::langs()
  • whoami::fallible::account()
  • whoami::fallible::account_os()
  • whoami::DesktopEnv::is_gtk()
  • whoami::DesktopEnv::is_kde()

Removed

  • Generated device names that infer casing based on the hostname when the device name is not available - now returns the hostname unchanged
  • Partial (potentially unsound) support for Android, iOS, watchOS, tvOS, Fuchsia, Haiku, Solaris, and a few others. These targets now use the "fake" implementation.

Changed

  • Deprecated whoami::distro_os()
  • Deprecated whoami::hostname()
  • Deprecated whoami::hostname_os()
  • Deprecated whoami::lang()
  • illumos and Redox are no longer untested targets
  • Documented that illumos and Redox have a higher MSRV (Rust 1.65) than other targets
  • Display implementation on Platform::Illumos now displays in lowercase: illumos

Fixed

  • Removed some unnecessary allocations
  • Rare and nearly impossible cases of undefined behavior
  • Better handling of UTF-8 non-conformant strings
  • Multiple instances of undefined behavior on illumos

... (truncated)

Commits

Updates borsh from 0.10.2 to 0.10.3

Changelog

Sourced from borsh's changelog.

[0.10.3] - 2023-03-22

  • Add optional bytes/bytesmut support
Commits
  • 79097e3 release: Prepare for 0.10.3 release
  • ad25b07 ci: Removed release-plz as it does not play well with the workspaces setup we...
  • c93d434 ci: Add release-plz CI action which will create a PR with a suggestion to cut...
  • e91f405 feat: Add optional bytes/bytesmut support (#132)
  • See full diff in compare view

Updates bumpalo from 3.10.0 to 3.16.0

Changelog

Sourced from bumpalo's changelog.

3.16.0

Released 2024-04-08.

Added

  • Added an optional, off-by-default dependency on the serde crate. Enabling this dependency allows you to serialize Bumpalo's collection and box types. Deserialization is not implemented, due to constraints of the deserialization trait.

3.15.4

Released 2024-03-07.

Added

  • Added the bumpalo::collections::Vec::extend_from_slices_copy method, which is a faster way to extend a vec from multiple slices when the element is Copy than calling extend_from_slice_copy N times.

3.15.3

Released 2024-02-22.

Added

  • Added additional performance improvements to bumpalo::collections::Vec related to reserving capacity.

3.15.2

Released 2024-02-21.

Added

  • Add a bumpalo::collections::Vec::extend_from_slice_copy method. This doesn't exist on the standard library's Vec but they have access to specialization, so their regular extend_from_slice has a specialization for Copy types. Using this new method for Copy types is a ~80x performance improvement over the plain extend_from_slice method.

... (truncated)

Commits
  • 4eeab88 Bump to version 3.16.0
  • d746a56 add serde serialization support (#210)
  • 49c5a71 Bump to version 3.15.4
  • 6a91333 Adds Vec::extend_from_slices_copy that accepts multiple slices (#240)
  • 2ed8718 Bump to 3.15.3
  • 1803cca Modifies RawVec reserve fn structure to improve inlining (#239)
  • 2ffdfb3 Bump to version 3.15.2
  • 54c88f0 Provides implementation of Vec::extend_from_slice optimized for T: Copy (...
  • f8597ce Fix MSRV in Cargo.toml; bump to version 3.15.1
  • bb660a3 Bump to version 3.15.0
  • Additional commits viewable in compare view

Updates mio from 0.8.4 to 0.8.8

Changelog

Sourced from mio's changelog.

0.8.8

Fixed

0.8.7

Added

  • Add/fix support for tvOS and watchOS, Mio should now build for tvOS and watchOS, but we don't have a CI setup yet (tokio-rs/mio#1658).

Changed

  • Made the log dependency optional behind the log feature flag (enabled by default). Users that disabled Mio's default features will now not see any logging from Mio, enabling the log feature will fix that. This was done in response to the log crate increasing it's MSRV to v1.60, see rust-lang/log#552 (tokio-rs/mio#1673).
  • Update windows-sys dependency to v0.48 (tokio-rs/mio#1663).

Fixed

  • Fix overflow in Poll::poll when using Duration::MAX as timeout (tokio-rs/mio#1657).

0.8.6

Added

  • Interest::PRIORITY on Linux and Android, to trigger Event::is_priority (tokio-rs/mio#1647).

Changed

Fixed

  • A number of potential fd leaks when setup resulted in an error right after creation (tokio-rs/mio#1636).
  • Less truncating for timeout values in Poll::poll (tokio-rs/mio#1642).

... (truncated)

Commits

Updates openssl-src from 111.22.0+1.1.1q to 300.3.1+3.3.1

Commits

Updates rustix from 0.35.7 to 0.35.16

Commits
  • 45a3974 chore: Release rustix version 0.35.16
  • f1b336e Fix p{read,write}v{,v2}'s encoding of the offset argument on Linux. (#896) (#...
  • 954bb0d chore: Release rustix version 0.35.15
  • 842d7d9 Remove some rerun-if-env-changed lines from build.rs. (#576)
  • 7eb9187 Add a comment.
  • 556ed8a Only use RUSTC_WRAPPER when non empty (#565)
  • 1b0d416 Check RUSTC_WRAPPER instead of CARGO_RUSTC_WRAPPER.
  • 48182c5 Add more cargo:rerun-if-env-changed's to build.rs (#544)
  • 3de9a4d Sync with io-lifetimes' build.rs changes (#511)
  • ccf6e91 Disable riscv64 testing.
  • Additional commits viewable in compare view

Updates rustls-webpki from 0.101.1 to 0.101.6

Release notes

Sourced from rustls-webpki's releases.

0.101.6

  • The CertificateRevocationList trait's verify_signature Budget argument was removed. This was a semver incompatible change mistakenly introduced in v0.101.5.

What's Changed

Full Changelog: rustls/webpki@v/0.101.5...v/0.101.6

0.101.5

  • Path building complexity is now limited to a maximum budget of path finding operations, avoiding exponential processing time when encountering certificate chains containing many certificates with the same subject/issuer distinguished name but different subject public key information.
  • Name constraints evaluation is now limited to a maximum number of comparison operations, avoiding exponential processing time when encountering certificate chains containing many name constraints and subject alternate names.
  • Subject common names are no longer parsed for name iteration, or applying name constraints. Webpki only uses Subject Alternate Names when validating certificates, and the common name handling was buggy, producing Error::BadDer when iterating certificates with printable string subject common names, or omitted common names encoded as an empty sequence.

What's Changed

The following PRs were backported to the rel-0.101 branch in #170:

  • Further limits on expensive path building (#163)
  • Budget tweaks (#164)
  • Bound name constraint comparisons (#165)
  • Remove subject common name parsing (#169, thanks to @​hawkw)
  • Correct handling of fatal errors (#168)

Thanks to all who have contributed, on behalf of the rustls team (@​ctz, @​cpu and @​djc)!

0.101.4

Release notes

  • certificate path building and verification is now capped at 100 signature validation operations to avoid the risk of CPU usage denial-of-service attack when validating crafted certificate chains producing quadratic runtime. This risk affected both clients, as well as servers that verified client certificates.

What's Changed

Full Changelog: rustls/webpki@v/0.101.3...v/0.101.4

v/0.101.3

Release Notes

  • TlsServerTrustAnchors, TlsClientTrustAnchors, verify_is_valid_tls_server_cert and verify_is_valid_tls_client_cert deprecation notes improved.

What's Changed

Full Changelog: rustls/webpki@v/0.101.2...v/0.101.3

v/0.101.2

Release notes

... (truncated)

Commits
  • 7956538 Cargo: v0.101.5 -> v0.101.6
  • 7f8208e crl: rm Budget from verify_signature fn
  • 7cb6c64 Cargo: bump version 0.101.4 -> 0.101.5
  • 2dd2a06 verify_cert: use enum for build chain error
  • c255d61 verify_cert: correct handling of fatal errors
  • b166eab error: add is_fatal helper, use in verify_cert
  • cce08ee verify_cert: optional Budget arg for verify_chain helper
  • 08fd439 verify_cert: take references in verify_chain helper
  • c9914e4 Remove common name parsing from NameIterator
  • bb9fe71 Remove tests for common name handling
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump the cargo group across 1 directory with 12 updates
434b7e4 
Bumps the cargo group with 11 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [tokio](https://github.com/tokio-rs/tokio) | `1.20.1` | `1.20.4` |
| [rustls](https://github.com/rustls/rustls) | `0.21.3` | `0.21.5` |
| [openssl](https://github.com/sfackler/rust-openssl) | `0.10.41` | `0.10.66` |
| [remove_dir_all](https://github.com/XAMPPRocky/remove_dir_all) | `0.7.0` | `0.8.0` |
| [rsa](https://github.com/RustCrypto/RSA) | `0.9.2` | `0.9.6` |
| [whoami](https://github.com/ardaku/whoami) | `1.2.1` | `1.5.0` |
| [borsh](https://github.com/near/borsh-rs) | `0.10.2` | `0.10.3` |
| [bumpalo](https://github.com/fitzgen/bumpalo) | `3.10.0` | `3.16.0` |
| [mio](https://github.com/tokio-rs/mio) | `0.8.4` | `0.8.8` |
| [rustix](https://github.com/bytecodealliance/rustix) | `0.35.7` | `0.35.16` |
| [rustls-webpki](https://github.com/rustls/webpki) | `0.101.1` | `0.101.6` |



Updates `tokio` from 1.20.1 to 1.20.4
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](tokio-rs/tokio@tokio-1.20.1...tokio-1.20.4)

Updates `rustls` from 0.21.3 to 0.21.5
- [Release notes](https://github.com/rustls/rustls/releases)
- [Changelog](https://github.com/rustls/rustls/blob/main/CHANGELOG.md)
- [Commits](rustls/rustls@v/0.21.3...v/0.21.5)

Updates `openssl` from 0.10.41 to 0.10.66
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](sfackler/rust-openssl@openssl-v0.10.41...openssl-v0.10.66)

Updates `remove_dir_all` from 0.7.0 to 0.8.0
- [Release notes](https://github.com/XAMPPRocky/remove_dir_all/releases)
- [Changelog](https://github.com/XAMPPRocky/remove_dir_all/blob/master/CHANGELOG.md)
- [Commits](https://github.com/XAMPPRocky/remove_dir_all/compare/v0.7.0...remove_dir_all@0.8.0)

Updates `rsa` from 0.9.2 to 0.9.6
- [Changelog](https://github.com/RustCrypto/RSA/blob/master/CHANGELOG.md)
- [Commits](RustCrypto/RSA@v0.9.2...v0.9.6)

Updates `whoami` from 1.2.1 to 1.5.0
- [Changelog](https://github.com/ardaku/whoami/blob/v1/CHANGELOG.md)
- [Commits](ardaku/whoami@v1.2.1...v1.5.0)

Updates `borsh` from 0.10.2 to 0.10.3
- [Release notes](https://github.com/near/borsh-rs/releases)
- [Changelog](https://github.com/near/borsh-rs/blob/master/CHANGELOG.md)
- [Commits](near/borsh-rs@v0.10.2...borsh-v0.10.3)

Updates `bumpalo` from 3.10.0 to 3.16.0
- [Changelog](https://github.com/fitzgen/bumpalo/blob/main/CHANGELOG.md)
- [Commits](fitzgen/bumpalo@3.10.0...3.16.0)

Updates `mio` from 0.8.4 to 0.8.8
- [Release notes](https://github.com/tokio-rs/mio/releases)
- [Changelog](https://github.com/tokio-rs/mio/blob/master/CHANGELOG.md)
- [Commits](tokio-rs/mio@v0.8.4...v0.8.8)

Updates `openssl-src` from 111.22.0+1.1.1q to 300.3.1+3.3.1
- [Release notes](https://github.com/alexcrichton/openssl-src-rs/releases)
- [Commits](https://github.com/alexcrichton/openssl-src-rs/commits)

Updates `rustix` from 0.35.7 to 0.35.16
- [Release notes](https://github.com/bytecodealliance/rustix/releases)
- [Commits](bytecodealliance/rustix@v0.35.7...v0.35.16)

Updates `rustls-webpki` from 0.101.1 to 0.101.6
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](rustls/webpki@v/0.101.1...v/0.101.6)

---
updated-dependencies:
- dependency-name: tokio
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: rustls
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: openssl
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: remove_dir_all
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: rsa
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: whoami
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: borsh
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: bumpalo
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: mio
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: openssl-src
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rustix
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rustls-webpki
  dependency-type: indirect
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Jul 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants