fix(deps): update rust crate openssl to v0.10.70 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
openssl	dependencies	patch	0.10.68 -> 0.10.70

GitHub Vulnerability Alerts

CVE-2025-24898

Impact

ssl::select_next_proto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the server buffer's lifetime is shorter than the client buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client.

Patches

openssl 0.10.70 fixes the signature of ssl::select_next_proto to properly constrain the output buffer's lifetime to that of both input buffers.

Workarounds

In standard usage of ssl::select_next_proto in the callback passed to SslContextBuilder::set_alpn_select_callback, code is only affected if the server buffer is constructed within the callback. For example:

Not vulnerable - the server buffer has a 'static lifetime:

builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(b"\x02h2", client_protos).ok_or_else(AlpnError::NOACK)
});

Not vulnerable - the server buffer outlives the handshake:

let server_protos = b"\x02h2".to_vec();
builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});

Vulnerable - the server buffer is freed when the callback returns:

builder.set_alpn_select_callback(|_, client_protos| {
    let server_protos = b"\x02h2".to_vec();
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});

References

https://github.com/sfackler/rust-openssl/pull/2360

---

Release Notes

sfackler/rust-openssl (openssl)

v0.10.70: openssl v0.10.70

Compare Source

What's Changed

• Attempt to fix CI by pinning to the Ubuntu 22.04 image by @​alex in https://github.com/sfackler/rust-openssl/pull/2357
• Remove EC_METHOD and EC_GROUP_new for LibreSSL 4.1 by @​botovq in https://github.com/sfackler/rust-openssl/pull/2356
• Test against 3.4.0 final release by @​alex in https://github.com/sfackler/rust-openssl/pull/2359
• Expose SslMethod::{dtls_client,dtls_server} by @​alex in https://github.com/sfackler/rust-openssl/pull/2358
• Fix lifetimes in ssl::select_next_proto by @​sfackler in https://github.com/sfackler/rust-openssl/pull/2360

Full Changelog: sfackler/rust-openssl@openssl-v0.10.69...openssl-v0.10.70

v0.10.69: openssl v0.10.69

Compare Source

What's Changed

• build(deps): Update openssl-macro to version 0.1.1 by @​caspermeijn in https://github.com/sfackler/rust-openssl/pull/2324
• Enable set_alpn_select_callback for BoringSSL by @​ViktoriiaKovalova in https://github.com/sfackler/rust-openssl/pull/2327
• Switch the test to use prime256v1 based key by @​dcermak in https://github.com/sfackler/rust-openssl/pull/2330
• Expose EVP_DigestSqueeze from Hasher by @​initsecret in https://github.com/sfackler/rust-openssl/pull/2275
• Expose SSL_CTX_load_verify_locations by @​sfackler in https://github.com/sfackler/rust-openssl/pull/2353

New Contributors

• @​caspermeijn made their first contribution in https://github.com/sfackler/rust-openssl/pull/2324
• @​ViktoriiaKovalova made their first contribution in https://github.com/sfackler/rust-openssl/pull/2327

Full Changelog: sfackler/rust-openssl@openssl-v0.10.68...openssl-v0.10.69

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🚨 Rust Panic Audit: 342 Potential Panic Points Detected 🚨

Crate: ``

📊 Total Usages: 239

• 🔎 expect usages: 41
• 🎁 unwrap usages: 159
• 🚨 panic usages: 8
• 🔢 array_index usages: 31

Crate: federation_query_planner

📊 Total Usages: 50

• 🎁 unwrap usages: 29
• 🚨 panic usages: 3
• 🔢 array_index usages: 10
• 🔎 expect usages: 8

Crate: conductor

📊 Total Usages: 11

• 🎁 unwrap usages: 2
• 🔎 expect usages: 7
• 🚨 panic usages: 2

Crate: common

📊 Total Usages: 11

• 🔢 array_index usages: 1
• 🎁 unwrap usages: 10

Crate: cloudflare_worker

📊 Total Usages: 8

• 🎁 unwrap usages: 5
• 🔎 expect usages: 2
• 🚨 panic usages: 1

Crate: telemetry

📊 Total Usages: 7

• 🔢 array_index usages: 4
• 🎁 unwrap usages: 3

Crate: engine

📊 Total Usages: 7

• 🎁 unwrap usages: 6
• 🔎 expect usages: 1

Crate: tracing

📊 Total Usages: 6

• 🎁 unwrap usages: 5
• 🔎 expect usages: 1

Crate: config

📊 Total Usages: 3

• 🚨 panic usages: 1
• 🎁 unwrap usages: 2

📌 Expected Annotations

Crate: vrl

📊 Total Expected Usages: 2

expand details

1. Reason: "if the provided VRL code in the config file can't compile, we have to exit."

• Code: panic!("failed to compile vrl program");
• Location: ./plugins/vrl/src/plugin.rs:129

2. Reason: "states is a non-user provided variable"

• Code: .expect("can't merge states when states is an empty vector!")
• Location: ./plugins/vrl/src/plugin.rs:146

Crate: engine

📊 Total Expected Usages: 2

expand details

1. Reason: "if we are unable to construct the endpoints and attach them onto the gateway's http server, we have to exit"

• Code: Err(e) => panic!("failed to construct endpoint: {:?}", e),
• Location: ./libs/engine/src/gateway.rs:158

2. Reason: "we can safely index here, it's inside a test with constant defined fixtures."

• Code: ConductorGateway::execute(request, &gw.routes[0].route_data).await
• Location: ./libs/engine/src/gateway.rs:190

Crate: cloudflare_worker

📊 Total Expected Usages: 4

expand details

1. Reason: "it panics only if the header name is not valid, and we know it is."

• Code: .unwrap()
• Location: ./bin/cloudflare_worker/src/http_tracing.rs:20

2. Reason: "it panics only if the URL source is not valid, and it's already validated before."

• Code: let url = req.url().unwrap();
• Location: ./bin/cloudflare_worker/src/http_tracing.rs:23

3. Reason: "it only panics if we are not running in a CF context, should be safe."

• Code: let cf_info = req.cf().unwrap();
• Location: ./bin/cloudflare_worker/src/http_tracing.rs:27

4. Reason: "unwraps only in special cases where "data:text" is used."

• Code: let http_host = url.host().unwrap().to_string();
• Location: ./bin/cloudflare_worker/src/http_tracing.rs:36

Crate: common

📊 Total Expected Usages: 1

expand details

1. Reason: "we're parsing a statically defined constant, we know it works ;)"

• Code: .unwrap()
• Location: ./libs/common/src/graphql.rs:31

Crate: config

📊 Total Expected Usages: 9

expand details

1. Reason: "part of development docgen CLI"

• Code: .expect("Failed to serialize json schema for config file!");
• Location: ./libs/config/src/generate-json-schema.rs:50

2. Reason: "part of development docgen CLI"

• Code: .expect("Failed to write the json schema to the file system!");
• Location: ./libs/config/src/generate-json-schema.rs:54

3. Reason: "statically defined regex pattern, we know it works ;)"

• Code: .unwrap();
• Location: ./libs/config/src/interpolate.rs:18

4. Reason: "👇"

• Code: let raw_contents = read_to_string(file_path)
• Location: ./libs/config/src/lib.rs:815

5. Reason: "👇"

• Code: panic!("Failed to interpolate config file, please resolve the above errors");
• Location: ./libs/config/src/lib.rs:847

6. Reason: "👇"

• Code: parse_config_from_json(&config_string).expect("Failed to parse JSON config file")
• Location: ./libs/config/src/lib.rs:854

7. Reason: "👇"

• Code: parse_config_from_yaml(&config_string).expect("Failed to parse YAML config file")
• Location: ./libs/config/src/lib.rs:858

8. Reason: "👇"

• Code: _ => panic!("Unsupported config file extension"),
• Location: ./libs/config/src/lib.rs:875

9. Reason: "👇"

• Code: None => panic!("Config file has no extension"),
• Location: ./libs/config/src/lib.rs:878

Crate: jwt_auth

📊 Total Expected Usages: 1

expand details

1. Reason: "if initiating an http client fails, then we have to exit."

• Code: let client = wasm_polyfills::create_http_client().build().unwrap();
• Location: ./plugins/jwt_auth/src/jwks_provider.rs:49

Crate: conductor

📊 Total Expected Usages: 2

expand details

1. Reason: "we need to exit the process, if the logger can't be correctly set."

• Code: let _guard = tracing::subscriber::set_default(subscriber);
• Location: ./bin/conductor/src/lib.rs:64

2. Reason: "we need to exit the process, if the provided configuration file is incorrect."

• Code: panic!("Failed to initialize gateway: {:?}", e);
• Location: ./bin/conductor/src/lib.rs:103

Crate: ``

📊 Total Expected Usages: 22

expand details

1. Reason: "we're parsing a statically defined constant, we know it works ;)"

• Code: .unwrap()
• Location: ./libs/common/src/graphql.rs:31

2. Reason: "if we are unable to construct the endpoints and attach them onto the gateway's http server, we have to exit"

• Code: Err(e) => panic!("failed to construct endpoint: {:?}", e),
• Location: ./libs/engine/src/gateway.rs:158

3. Reason: "we can safely index here, it's inside a test with constant defined fixtures."

• Code: ConductorGateway::execute(request, &gw.routes[0].route_data).await
• Location: ./libs/engine/src/gateway.rs:190

4. Reason: "part of development docgen CLI"

• Code: .expect("Failed to serialize json schema for config file!");
• Location: ./libs/config/src/generate-json-schema.rs:50

5. Reason: "part of development docgen CLI"

• Code: .expect("Failed to write the json schema to the file system!");
• Location: ./libs/config/src/generate-json-schema.rs:54

6. Reason: "statically defined regex pattern, we know it works ;)"

• Code: .unwrap();
• Location: ./libs/config/src/interpolate.rs:18

7. Reason: "👇"

• Code: let raw_contents = read_to_string(file_path)
• Location: ./libs/config/src/lib.rs:815

8. Reason: "👇"

• Code: panic!("Failed to interpolate config file, please resolve the above errors");
• Location: ./libs/config/src/lib.rs:847

9. Reason: "👇"

• Code: parse_config_from_json(&config_string).expect("Failed to parse JSON config file")
• Location: ./libs/config/src/lib.rs:854

10. Reason: "👇"

• Code: parse_config_from_yaml(&config_string).expect("Failed to parse YAML config file")
• Location: ./libs/config/src/lib.rs:858

11. Reason: "👇"

• Code: _ => panic!("Unsupported config file extension"),
• Location: ./libs/config/src/lib.rs:875

12. Reason: "👇"

• Code: None => panic!("Config file has no extension"),
• Location: ./libs/config/src/lib.rs:878

13. Reason: "we need this"

• Code: panic!("Exited process!")
• Location: ./libs/napi/src/lib.rs:18

14. Reason: "if the provided VRL code in the config file can't compile, we have to exit."

• Code: panic!("failed to compile vrl program");
• Location: ./plugins/vrl/src/plugin.rs:129

15. Reason: "states is a non-user provided variable"

• Code: .expect("can't merge states when states is an empty vector!")
• Location: ./plugins/vrl/src/plugin.rs:146

16. Reason: "if initiating an http client fails, then we have to exit."

• Code: let client = wasm_polyfills::create_http_client().build().unwrap();
• Location: ./plugins/jwt_auth/src/jwks_provider.rs:49

17. Reason: "we need to exit the process, if the logger can't be correctly set."

• Code: let _guard = tracing::subscriber::set_default(subscriber);
• Location: ./bin/conductor/src/lib.rs:64

18. Reason: "we need to exit the process, if the provided configuration file is incorrect."

• Code: panic!("Failed to initialize gateway: {:?}", e);
• Location: ./bin/conductor/src/lib.rs:103

19. Reason: "it panics only if the header name is not valid, and we know it is."

• Code: .unwrap()
• Location: ./bin/cloudflare_worker/src/http_tracing.rs:20

20. Reason: "it panics only if the URL source is not valid, and it's already validated before."

• Code: let url = req.url().unwrap();
• Location: ./bin/cloudflare_worker/src/http_tracing.rs:23

21. Reason: "it only panics if we are not running in a CF context, should be safe."

• Code: let cf_info = req.cf().unwrap();
• Location: ./bin/cloudflare_worker/src/http_tracing.rs:27

22. Reason: "unwraps only in special cases where "data:text" is used."

• Code: let http_host = url.host().unwrap().to_string();
• Location: ./bin/cloudflare_worker/src/http_tracing.rs:36

Crate: napi

📊 Total Expected Usages: 1

expand details

1. Reason: "we need this"

• Code: panic!("Exited process!")
• Location: ./libs/napi/src/lib.rs:18