fix: update aws-sdk-sts to resolve rustls-webpki vulnerabilities#9918
Closed
fix: update aws-sdk-sts to resolve rustls-webpki vulnerabilities#9918
Conversation
Co-Authored-By: Oz <oz-agent@warp.dev>
Contributor
|
I'm starting a first review of this pull request. You can view the conversation on Warp. I completed the review and no human review was requested for this pull request. Comment Powered by Oz |
![oz-for-oss[bot]](https://avatars.githubusercontent.com/in/3450139?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Overview
This PR disables the legacy rustls default feature on aws-sdk-sts while retaining default-https-client and rt-tokio, which addresses the vulnerable legacy rustls-webpki dependency path described in the PR.
Concerns
- No blocking correctness, dependency, or security concerns were found in the annotated diff.
Verdict
Found: 0 critical, 0 important, 0 suggestions
Approve
Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).
Powered by Oz
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #10070
Summary
Disable the legacy
rustlsdefault feature onaws-sdk-ststo remove the transitive dependency on vulnerablerustls-webpkiversions.Vulnerabilities Resolved
Root Cause
aws-sdk-sts = "1"(with default features) includes arustlsfeature that enablesaws-smithy-runtime/tls-rustls→aws-smithy-http-client/legacy-rustls-ring. This legacy TLS backend pulls inrustls 0.21.12→rustls-webpki 0.101.7(vulnerable). The modern TLS backend (default-https-client→rustls-aws-lc→rustls 0.23) was already enabled separately.Dependabot could not fix this because it can't modify feature flags — it reported the latest installable
rustls-webpkiwas0.101.7.Change
In
app/Cargo.toml, changed:This drops the
rustlsfeature (legacy TLS) while keepingdefault-https-client(modern TLS viarustls 0.23+aws-lc-rs) andrt-tokio.Removed Dependencies
The following legacy crates are completely removed from
Cargo.lock:rustls-webpki0.101.7rustls0.21.12hyper-rustls0.24.2tokio-rustls0.24.1h20.3.xhyper0.14.xsctVerification
cargo auditconfirms the three rustls-webpki advisories no longer appearrustls-webpki 0.103.13andrustls 0.23.40remain in the lockfileCo-Authored-By: Oz oz-agent@warp.dev
Conversation: https://staging.warp.dev/conversation/47650e53-d221-4216-afb7-f99130dfed60
Run: https://oz.staging.warp.dev/runs/019de96b-0fc5-791e-b920-7280b5471474
This PR was generated with Oz.