Update Rust crate ring to v0.17.12 [SECURITY] #289
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![oxide-renovate[bot]](https://avatars.githubusercontent.com/u/54040662?s=60&v=4){kind=small}
oxide-renovate
bot
added
the
dependencies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.17.8->0.17.12GitHub Vulnerability Alerts
GHSA-4p46-pwfr-66x6
ring::aead::quic::HeaderProtectionKey::new_mask()may panic when overflow checking is enabled. In the QUIC protocol, an attacker can induce this panic by sending a specially-crafted packet. Even unintentionally it is likely to occur in 1 out of every 2**32 packets sent and/or received.On 64-bit targets operations using
ring::aead::{AES_128_GCM, AES_256_GCM}may panic when overflow checking is enabled, when encrypting/decrypting approximately 68,719,476,700 bytes (about 64 gigabytes) of data in a single chunk. Protocols like TLS and SSH are not affected by this because those protocols break large amounts of data into small chunks. Similarly, most applications will not attempt to encrypt/decrypt 64GB of data in one chunk.Overflow checking is not enabled in release mode by default, but
RUSTFLAGS="-C overflow-checks"oroverflow-checks = truein the Cargo.toml profile can override this. Overflow checking is usually enabled by default in debug mode.Release Notes
briansmith/ring (ring)
v0.17.12============================
Bug fix:https://github.com/briansmith/ring/pull/24477 for denial of service (DoS).
Fixes a panic in
ring::aead::quic::HeaderProtectionKey::new_mask()wheninteger overflow checking is enabled. In the QUIC protocol, an attacker can
induce this panic by sending a specially-crafted packet. Even unintentionally
it is likely to occur in 1 out of every 2**32 packets sent and/or received.
Fixes a panic on 64-bit targets in
ring::aead::{AES_128_GCM, AES_256_GCM}when overflow checking is enabled, when encrypting/decrypting approximately
68,719,476,700 bytes (about 64 gigabytes) of data in a single chunk. Protocols
like TLS and SSH are not affected by this because those protocols break large
amounts of data into small chunks. Similarly, most applications will not
attempt to encrypt/decrypt 64GB of data in one chunk.
Overflow checking is not enabled in release mode by default, but
RUSTFLAGS="-C overflow-checks"oroverflow-checks = truein the Cargo.tomlprofile can override this. Overflow checking is usually enabled by default in
debug mode.
Configuration
📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - "after 8pm,before 6am" in timezone America/Los_Angeles.
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.