Resolve (mostly) RUSTSEC-2023-0052 (!1534) · Merge requests · The Tor Project / Core / Arti

Nick Mathewson requested to merge nickm/arti:webpki-update into main Aug 22, 2023

The security issue here is an exponential CPU DoS caused by bogus certificate chains. The fix is to upgrade to the latest rustls-webpki in place of older versions of rustls-webpki and in place of the unmaintained webpki crate.

Unfortunately, arti-hyper uses tls-api, which uses webpki. I've opened an issue against tls-api; see #1016 (closed). For now I think we need an exception.

Resolve (mostly) RUSTSEC-2023-0052

Merge request reports