chore(deps): update rust crate openssl to v0.10.79 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
openssl	dependencies	patch	0.10.78 → 0.10.79

---

rust-openssl has undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs

CVE-2026-42327 / GHSA-xp3w-r5p5-63rr

More information

Details

X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref<Target = str> wraps the raw bytes with str::from_utf8_unchecked. OpenSSL does not enforce that the underlying IA5String is ASCII, so a certificate with non-UTF-8 bytes in its OCSP accessLocation causes safe Rust code to construct a &str that violates the UTF-8 invariant — resulting in undefined behavior.

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xp3w-r5p5-63rr
• https://nvd.nist.gov/vuln/detail/CVE-2026-42327
• https://github.com/advisories/GHSA-xp3w-r5p5-63rr

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

rust-openssl vulnerable to heap buffer overflow when encrypting with AES key-wrap-with-padding

CVE-2026-44662 / GHSA-xv59-967r-8726

More information

Details

CipherCtxRef::cipher_update, CipherCtxRef::cipher_update_vec, and symm::Crypter::update incorrectly sized output buffers when used with AES key-wrap-with-padding ciphers (EVP_aes_{128,192,256}_wrap_pad). For a non-multiple-of-8 input, OpenSSL writes up to 7 bytes past the end of the caller's buffer or Vec, producing attacker-controllable heap corruption when the plaintext length is attacker-influenced.

This only impacts users using AES key-wrap-with-padding ciphers.

Severity

• CVSS Score: 5.1 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

References

• https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xv59-967r-8726
• https://nvd.nist.gov/vuln/detail/CVE-2026-44662
• https://github.com/advisories/GHSA-xv59-967r-8726

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

rust-openssl/rust-openssl (openssl)

v0.10.79

Compare Source

What's Changed

• Bump actions/cache from 5.0.4 to 5.0.5 by @​dependabot[bot] in #​2610
• Try to fix OpenSSL 1.1.0l download by @​botovq in #​2614
• Require &mut BigNumContextRef for EcPointRef mul/invert by @​alex in #​2615
• Fix UB in EcGroupRef::generator on groups without a generator by @​alex in #​2617
• Replace use libc::*; with targeted imports in openssl-sys by @​alex in #​2618
• Add PKeyRef::is_a and KeyType for name-based key identification by @​reaperhulk in #​2619
• Add PKey::{public,private}_key_from_raw_bytes_ex by @​reaperhulk in #​2620
• Bump MSRV to 1.80 by @​reaperhulk in #​2622
• Drop once_cell in favor of std::sync::{LazyLock, OnceLock} by @​reaperhulk in #​2623
• Add PKey::private_key_from_seed for ML-DSA/ML-KEM key import by @​reaperhulk in #​2621
• parallelize more builds in CI for cold caches by @​reaperhulk in #​2625
• Add PKeyRef::seed_into for ML-DSA/ML-KEM seed extraction by @​reaperhulk in #​2626
• Fix process abort when verify/PSK callbacks fire after SSL_CTX swap by @​alex in #​2624
• Bind OSSL_PARAM_modified and use it for seed_into by @​reaperhulk in #​2628
• Add PkeyCtxRef::set_context_string for ML-DSA by @​reaperhulk in #​2629
• Reject non-UTF-8 OCSP responder URLs in X509Ref::ocsp_responders by @​alex in #​2631
• Fix output buffer overflow for AES key-wrap-with-padding ciphers by @​alex in #​2630
• Release openssl 0.10.79 and openssl-sys 0.9.115 by @​reaperhulk in #​2632

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.78...openssl-v0.10.79

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.