Skip to content

[1.6] Bump openssl to 0.10.80 to address CVE alerts#3578

Open
benhillis wants to merge 1 commit into
microsoft:release/2505from
benhillis:user/benhill/1.6-openssl-bump
Open

[1.6] Bump openssl to 0.10.80 to address CVE alerts#3578
benhillis wants to merge 1 commit into
microsoft:release/2505from
benhillis:user/benhill/1.6-openssl-bump

Conversation

@benhillis
Copy link
Copy Markdown
Member

@benhillis benhillis commented May 27, 2026
edited
Loading

Bumps the openssl crate from 0.10.72 to 0.10.80 on the release/2505 (1.6) branch to address multiple security advisories:

  • rust-openssl undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs (fixed in 0.10.79)
  • rust-openssl heap buffer overflow when encrypting with AES key-wrap-with-padding (fixed in 0.10.80)

Bump openssl to 0.10.80 to address CVE alerts
327007e 
Updates the openssl crate from 0.10.72 to 0.10.80 to address multiple
security advisories:

- rust-openssl has undefined behavior in X509Ref::ocsp_responders for
  certificates with non-UTF-8 OCSP URLs (fixed in 0.10.79)
- rust-openssl vulnerable to heap buffer overflow when encrypting with
  AES key-wrap-with-padding (fixed in 0.10.80)

Cargo.lock-only change.
Copilot AI review requested due to automatic review settings May 27, 2026 20:52
@benhillis benhillis requested review from a team as code owners May 27, 2026 20:52
@benhillis benhillis requested a review from smalis-msft May 27, 2026 20:53
@github-actions github-actions Bot added the release_2505 Targets the release/2505 branch. label May 27, 2026
Copilot AI reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the workspace OpenSSL Rust dependency on the release/2505 branch to pick up upstream security fixes for rust-openssl advisories.

Changes:

  • Bumps openssl from 0.10.72 to 0.10.80.
  • Updates the resolved openssl-sys and openssl-src lockfile entries.
  • Removes once_cell from openssl’s transitive dependency list in Cargo.lock.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
Cargo.toml Updates the workspace openssl dependency version.
Cargo.lock Refreshes resolved OpenSSL-related crate versions and checksums.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@smalis-msft smalis-msft Awaiting requested review from smalis-msft

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

release_2505 Targets the release/2505 branch.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@benhillis