From 7f7e25fe5df1578d9f8e23e4bb04c8c5d5217376 Mon Sep 17 00:00:00 2001 From: jadamcrain Date: Thu, 7 May 2026 07:50:59 -0700 Subject: [PATCH 1/2] update rustls-webpki to 0.103.13 to resolve RUSTSEC-2026-0098/0099/0104 Bumps rustls-webpki 0.103.10 -> 0.103.13. Also bumps aws-lc-sys 0.39.1 -> 0.40.0 and aws-lc-rs 1.16.2 -> 1.16.3 as transitive updates. The CRL panic (0104) is unreachable as Rodbus does not pass CRLs to webpki. The two name-constraint advisories (0098, 0099) are reachable during normal TLS handshake but require certificate misissuance from a trusted CA to exploit. --- CHANGELOG.md | 3 +++ Cargo.lock | 12 ++++++------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 079c9912..f28a4aa4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### 1.5.0 ### +* :lock: Update `rustls-webpki` to 0.103.13 to resolve RUSTSEC-2026-0098, 2026-0099, and 2026-0104. The two name-constraint advisories (0098, 0099) are theoretically reachable during TLS handshake but require certificate misissuance to exploit; the CRL panic (0104) is unreachable as Rodbus does not use CRLs. + ### 1.5.0-RC1 ### * :star: Add configurable limit on consecutive client response timeouts. See [#166](https://github.com/stepfunc/rodbus/pull/166). * :wrench: Use aws-lc-rs crypto provider for TLS on most platforms. See [#164](https://github.com/stepfunc/rodbus/pull/164). diff --git a/Cargo.lock b/Cargo.lock index 785de364..836f29a0 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -104,9 +104,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8" [[package]] name = "aws-lc-rs" -version = "1.16.2" +version = "1.16.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a054912289d18629dc78375ba2c3726a3afe3ff71b4edba9dedfca0e3446d1fc" +checksum = "0ec6fb3fe69024a75fa7e1bfb48aa6cf59706a101658ea01bfd33b2b248a038f" dependencies = [ "aws-lc-sys", "zeroize", @@ -114,9 +114,9 @@ dependencies = [ [[package]] name = "aws-lc-sys" -version = "0.39.1" +version = "0.40.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "83a25cf98105baa966497416dbd42565ce3a8cf8dbfd59803ec9ad46f3126399" +checksum = "f50037ee5e1e41e7b8f9d161680a725bd1626cb6f8c7e901f91f942850852fe7" dependencies = [ "cc", "cmake", @@ -1132,9 +1132,9 @@ dependencies = [ [[package]] name = "rustls-webpki" -version = "0.103.10" +version = "0.103.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef" +checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e" dependencies = [ "aws-lc-rs", "ring", From dc153d02540ca780b69322a4c673c53c8e767010 Mon Sep 17 00:00:00 2001 From: jadamcrain Date: Thu, 7 May 2026 10:43:26 -0700 Subject: [PATCH 2/2] link RUSTSEC advisories in CHANGELOG entry --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f28a4aa4..7985744b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,5 @@ ### 1.5.0 ### -* :lock: Update `rustls-webpki` to 0.103.13 to resolve RUSTSEC-2026-0098, 2026-0099, and 2026-0104. The two name-constraint advisories (0098, 0099) are theoretically reachable during TLS handshake but require certificate misissuance to exploit; the CRL panic (0104) is unreachable as Rodbus does not use CRLs. +* :lock: Update `rustls-webpki` to 0.103.13 to resolve [RUSTSEC-2026-0098](https://rustsec.org/advisories/RUSTSEC-2026-0098.html), [RUSTSEC-2026-0099](https://rustsec.org/advisories/RUSTSEC-2026-0099.html), and [RUSTSEC-2026-0104](https://rustsec.org/advisories/RUSTSEC-2026-0104.html). The two name-constraint advisories (0098, 0099) are theoretically reachable during TLS handshake but require certificate misissuance to exploit; the CRL panic (0104) is unreachable as Rodbus does not use CRLs. ### 1.5.0-RC1 ### * :star: Add configurable limit on consecutive client response timeouts. See [#166](https://github.com/stepfunc/rodbus/pull/166).