Skip to content

[1.7] Bump openssl to 0.10.80 to address CVE alerts#3577

Merged
benhillis merged 1 commit into
microsoft:release/1.7.2511from
benhillis:user/benhill/1.7-openssl-bump
May 28, 2026
Merged

[1.7] Bump openssl to 0.10.80 to address CVE alerts#3577
benhillis merged 1 commit into
microsoft:release/1.7.2511from
benhillis:user/benhill/1.7-openssl-bump

Conversation

@benhillis
Copy link
Copy Markdown
Member

@benhillis benhillis commented May 27, 2026
edited
Loading

Bumps the openssl crate from 0.10.72 to 0.10.80 on the release/1.7.2511 branch to address multiple security advisories:

  • rust-openssl undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs (fixed in 0.10.79)
  • rust-openssl heap buffer overflow when encrypting with AES key-wrap-with-padding (fixed in 0.10.80)

Bump openssl to 0.10.80 to address CVE alerts
5730a1f 
Updates the openssl crate from 0.10.72 to 0.10.80 to address multiple
security advisories:

- rust-openssl has undefined behavior in X509Ref::ocsp_responders for
  certificates with non-UTF-8 OCSP URLs (fixed in 0.10.79)
- rust-openssl vulnerable to heap buffer overflow when encrypting with
  AES key-wrap-with-padding (fixed in 0.10.80)

Cargo.lock-only change.
Copilot AI review requested due to automatic review settings May 27, 2026 20:52
@benhillis benhillis requested review from a team as code owners May 27, 2026 20:52
@benhillis benhillis requested a review from smalis-msft May 27, 2026 20:52
@github-actions github-actions Bot added the release_1.7.2511 Targets the release/1.7.2511 branch. label May 27, 2026
Copilot AI reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the workspace OpenSSL Rust crate dependency to pick up security fixes for the cited rust-openssl advisories, including the AES key-wrap-with-padding issue used by attestation crypto paths.

Changes:

  • Raises the workspace openssl dependency to 0.10.80.
  • Refreshes Cargo.lock for openssl, openssl-sys, vendored OpenSSL source, and related TLS/platform transitive dependencies.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
Cargo.toml Updates the workspace OpenSSL crate version requirement.
Cargo.lock Records the resolved OpenSSL ecosystem and related transitive dependency updates.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 27, 2026

1 Petri tests failed (0 unstable)

@benhillis benhillis merged commit 228ab66 into microsoft:release/1.7.2511 May 28, 2026
101 of 109 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@smalis-msft smalis-msft smalis-msft approved these changes

Assignees

No one assigned

Labels

release_1.7.2511 Targets the release/1.7.2511 branch.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@benhillis @smalis-msft