Skip to content

Resolve (mostly) RUSTSEC-2023-0052

Nick Mathewson requested to merge nickm/arti:webpki-update into main

The security issue here is an exponential CPU DoS caused by bogus certificate chains. The fix is to upgrade to the latest rustls-webpki in place of older versions of rustls-webpki and in place of the unmaintained webpki crate.

Unfortunately, arti-hyper uses tls-api, which uses webpki. I've opened an issue against tls-api; see #1016 (closed). For now I think we need an exception.

Merge request reports

Loading