Release openssl v0.10.78 and openssl-sys v0.9.114#2609
Merged
alex merged 1 commit intorust-openssl:masterfrom Apr 19, 2026
Merged
Release openssl v0.10.78 and openssl-sys v0.9.114#2609alex merged 1 commit intorust-openssl:masterfrom
alex merged 1 commit intorust-openssl:masterfrom
Conversation
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
botovq
approved these changes
Apr 19, 2026
Contributor
botovq
left a comment
botovq
left a comment
There was a problem hiding this comment.
I'm fine with this. Wonder if a line of credit is in order in the fixed part of the openssl/CHANGELOG.md.
Collaborator
Author
|
The GHSA's all have credits on them, seems sufficient to me. |
|
penberg
added a commit
to tursodatabase/turso
that referenced
this pull request
Apr 23, 2026
…pendabot Bumps [openssl](https://github.com/rust-openssl/rust-openssl) from 0.10.75 to 0.10.78. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rust-openssl/rust- openssl/releases">openssl's releases</a>.</em></p> <blockquote> <h2>openssl-v0.10.78</h2> <h2>What's Changed</h2> <ul> <li>Fix Suite B flag assignments in verify.rs by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2592">rust-openssl/rust-openssl#2592</a></li> <li>Use cvt_p for OPENSSL_malloc error handling by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2593">rust-openssl/rust-openssl#2593</a></li> <li>Mark BIO_get_mem_data on AWS-LC to be unsafe by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2594">rust-openssl/rust-openssl#2594</a></li> <li>Set timeout for package installation step by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2595">rust-openssl/rust-openssl#2595</a></li> <li>Panic in Crypter::new when IV is required but not provided by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2596">rust-openssl/rust-openssl#2596</a></li> <li>openssl 4 support by <a href="https://github.com/reaperhulk"><code>@reaperhulk</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2591">rust-openssl/rust-openssl#2591</a></li> <li>Avoid panic for overlong OIDs by <a href="https://github.com/botovq"><code>@botovq</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2598">rust-openssl/rust-openssl#2598</a></li> <li>Fix dangling stack pointer in custom extension add callback by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2599">rust-openssl/rust-openssl#2599</a></li> <li>Add support for LibreSSL 4.3.x by <a href="https://github.com/botovq"><code>@botovq</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2603">rust-openssl/rust-openssl#2603</a></li> <li>fix inverted bounds assertion in AES key unwrap by <a href="https://github.com/reaperhulk"><code>@reaperhulk</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2604">rust-openssl/rust-openssl#2604</a></li> <li>Reject oversized length returns from password callback trampoline by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2605">rust-openssl/rust-openssl#2605</a></li> <li>Validate callback-returned lengths in PSK and cookie trampolines by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2607">rust-openssl/rust-openssl#2607</a></li> <li>Error for short out in MdCtxRef::digest_final() by <a href="https://github.com/botovq"><code>@botovq</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2608">rust-openssl/rust-openssl#2608</a></li> <li>Check derive output buffer length on OpenSSL 1.1.x by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2606">rust-openssl/rust-openssl#2606</a></li> <li>Release openssl v0.10.78 and openssl-sys v0.9.114 by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2609">rust-openssl/rust-openssl#2609</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/rust- openssl/rust-openssl/compare/openssl-v0.10.77...openssl- v0.10.78">https://github.com/rust-openssl/rust- openssl/compare/openssl-v0.10.77...openssl-v0.10.78</a></p> <h2>openssl-v0.10.77</h2> <h2>What's Changed</h2> <ul> <li>CI: Hash-pin all action usage, avoid credential persistence in actions/checkout by <a href="https://github.com/woodruffw"><code>@woodruffw</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2587">rust-openssl/rust-openssl#2587</a></li> <li>Bump aws-lc-sys to 0.39 by <a href="https://github.com/goffrie"><code>@goffrie</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2588">rust-openssl/rust-openssl#2588</a></li> <li>md_ctx: enable sign/verify/reset on BoringSSL, LibreSSL, and AWS-LC by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2589">rust-openssl/rust-openssl#2589</a></li> <li>Release openssl v0.10.77 and openssl-sys v0.9.113 by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2590">rust-openssl/rust-openssl#2590</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/woodruffw"><code>@woodruffw</code></a> made their first contribution in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2587">rust-openssl/rust-openssl#2587</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/rust- openssl/rust-openssl/compare/openssl-v0.10.76...openssl- v0.10.77">https://github.com/rust-openssl/rust- openssl/compare/openssl-v0.10.76...openssl-v0.10.77</a></p> <h2>openssl-v0.10.76</h2> <h2>What's Changed</h2> <ul> <li>feat: New methods EVP_PKEY_new_raw_*_key_ex and EVP_PKEY_is_a by <a href="https://github.com/FinnRG"><code>@FinnRG</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2521">rust-openssl/rust-openssl#2521</a></li> <li>Fix invalid value parsing of OCSP revocation reason by <a href="https://github.com/danpashin"><code>@danpashin</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2523">rust-openssl/rust-openssl#2523</a></li> <li>Bump actions/checkout from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2524">rust-openssl/rust-openssl#2524</a></li> <li>Bump aws-lc-sys from 0.27 to 0.34 by <a href="https://github.com/goffrie"><code>@goffrie</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2526">rust-openssl/rust-openssl#2526</a></li> <li>Expose X509_NAME_dup on all versions of OpenSSL by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2529">rust-openssl/rust-openssl#2529</a></li> <li>Unconditionally expose some *_dup() functions by <a href="https://github.com/botovq"><code>@botovq</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2530">rust-openssl/rust-openssl#2530</a></li> <li>reintroduce dir_name support for subject_alt_names by <a href="https://github.com/mqqz"><code>@mqqz</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2528">rust-openssl/rust-openssl#2528</a></li> <li>Fix cipher comparison with NID instead of pointers by <a href="https://github.com/lwestlund"><code>@lwestlund</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2531">rust-openssl/rust-openssl#2531</a></li> <li>Remove ASN1_STRING_data for LibreSSL 4.3.0 by <a href="https://github.com/botovq"><code>@botovq</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2534">rust-openssl/rust-openssl#2534</a></li> <li>drop openssl 1.0.2 by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2545">rust-openssl/rust-openssl#2545</a></li> <li>Bump actions/cache from 4 to 5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2542">rust-openssl/rust-openssl#2542</a></li> <li>Add Debug implementation for EcdsaSig{,Ref} by <a href="https://github.com/buytenh"><code>@buytenh</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2540">rust-openssl/rust-openssl#2540</a></li> <li>Add HKDF support by <a href="https://github.com/Zenkibou"><code>@Zenkibou</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2543">rust-openssl/rust-openssl#2543</a></li> <li>Enhance Debug implementation for Nid by <a href="https://github.com/buytenh"><code>@buytenh</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2547">rust-openssl/rust-openssl#2547</a></li> <li>Remove X509_VERIFY_PARAM_ID for LibreSSL 4.3.0 by <a href="https://github.com/botovq"><code>@botovq</code></a> in <a href="https://redirect.github.com/rust-openssl/rust- openssl/pull/2549">rust-openssl/rust-openssl#2549</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="rust-openssl/rust-openssl@a6debf5 35674c9a073f455158743e6ba094cf1b4"><code>a6debf5</code></a> Release openssl v0.10.78 and openssl-sys v0.9.114 (<a href="https://redirect.github.com/rust-openssl/rust- openssl/issues/2609">#2609</a>)</li> <li><a href="rust-openssl/rust-openssl@09b425e 5f59a2466d806e71a83a9a449c914c596"><code>09b425e</code></a> Check derive output buffer length on OpenSSL 1.1.x (<a href="https://redirect.github.com/rust-openssl/rust- openssl/issues/2606">#2606</a>)</li> <li><a href="rust-openssl/rust-openssl@826c388 8b77add418b394770e2b2e3a72d9f92fe"><code>826c388</code></a> Error for short out in MdCtxRef::digest_final() (<a href="https://redirect.github.com/rust-openssl/rust- openssl/issues/2608">#2608</a>)</li> <li><a href="rust-openssl/rust-openssl@1d10902 0d98fff2fb2e45c39a373af3dff99b24c"><code>1d10902</code></a> Validate callback-returned lengths in PSK and cookie trampolines (<a href="https://redirect.github.com/rust-openssl/rust- openssl/issues/2607">#2607</a>)</li> <li><a href="rust-openssl/rust-openssl@5af6895 c907773699f37f583f409b862284062b1"><code>5af6895</code></a> Reject oversized length returns from password callback trampoline (<a href="https://redirect.github.com/rust-openssl/rust- openssl/issues/2605">#2605</a>)</li> <li><a href="rust-openssl/rust-openssl@718d07f f8ff7be417d5b7a6a0047f1607520b3b6"><code>718d07f</code></a> fix inverted bounds assertion in AES key unwrap (<a href="https://redirect.github.com/rust-openssl/rust- openssl/issues/2604">#2604</a>)</li> <li><a href="rust-openssl/rust-openssl@53cc69d 2f3f0d7f19e46fe49c5ffb523785a3664"><code>53cc69d</code></a> Add support for LibreSSL 4.3.x (<a href="https://redirect.github.com/rust- openssl/rust-openssl/issues/2603">#2603</a>)</li> <li><a href="rust-openssl/rust-openssl@0b41e79 3d6740ed2d6f2395a0c074d02568f9f66"><code>0b41e79</code></a> Fix dangling stack pointer in custom extension add callback (<a href="https://redirect.github.com/rust-openssl/rust- openssl/issues/2599">#2599</a>)</li> <li><a href="rust-openssl/rust-openssl@cbdedf8 105bfcce218fcdc09440d090431914710"><code>cbdedf8</code></a> Avoid panic for overlong OIDs (<a href="https://redirect.github.com/rust- openssl/rust-openssl/issues/2598">#2598</a>)</li> <li><a href="rust-openssl/rust-openssl@1fc51ef a3f63e38a3139e201edf3395e5a10f8ba"><code>1fc51ef</code></a> openssl 4 support (<a href="https://redirect.github.com/rust-openssl/rust- openssl/issues/2591">#2591</a>)</li> <li>Additional commits viewable in <a href="https://github.com/rust- openssl/rust- openssl/compare/openssl-v0.10.75...openssl-v0.10.78">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security- vulnerabilities/about-dependabot-security-updates#about-compatibility- scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/tursodatabase/turso/network/alerts). </details> Closes #6540
|
Do you also plan to submit these to the RUSTSEC advisory database (or maybe even get CVEs assigned to them)? GitHub advisories alone are not very discoverable, especially for projects that aren't hosted on GitHub. |
Collaborator
Author
|
There's some automation that can import GHSAs into RUSTSEC, I can't remember it's exact parameters though. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.