Skip to content

Bump rustls-webpki from 0.103.10 to 0.103.12#92

Closed
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/cargo/rustls-webpki-0.103.12
Closed

Bump rustls-webpki from 0.103.10 to 0.103.12#92
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/cargo/rustls-webpki-0.103.12

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 21, 2026
edited
Loading

Bumps rustls-webpki from 0.103.10 to 0.103.12.

Release notes

Sourced from rustls-webpki's releases.

0.103.12

This release fixes two bugs in name constraint enforcement:

  • GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.
  • GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

Commits
  • 27131d4 Bump version to 0.103.12
  • 6ecb876 Clean up stuttery enum variant names
  • 318b3e6 Ignore wildcard labels when matching name constraints
  • 1219622 Rewrite constraint matching to avoid permissive catch-all branch
  • 57bc62c Bump version to 0.103.11
  • d0fa01e Allow parsing trust anchors with unknown criticial extensions
  • See full diff in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Apr 21, 2026
@dependabot
Bump rustls-webpki from 0.103.10 to 0.103.12
737265b 
Bumps [rustls-webpki](https://github.com/rustls/webpki) from 0.103.10 to 0.103.12.
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](rustls/webpki@v/0.103.10...v/0.103.12)

---
updated-dependencies:
- dependency-name: rustls-webpki
  dependency-version: 0.103.12
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/cargo/rustls-webpki-0.103.12 branch from ae7d257 to 737265b Compare April 21, 2026 11:23
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 24, 2026

Superseded by #94.

@dependabot dependabot Bot closed this Apr 24, 2026
@dependabot dependabot Bot deleted the dependabot/cargo/rustls-webpki-0.103.12 branch April 24, 2026 17:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants