Skip to content

fix: clear 3 RUSTSEC advisories (rand + wasmtime + rustls-webpki)#110

Merged
avrabe merged 1 commit into
mainfrom
fix/rustsec-2026-0097-rand
May 11, 2026
Merged

fix: clear 3 RUSTSEC advisories (rand + wasmtime + rustls-webpki)#110
avrabe merged 1 commit into
mainfrom
fix/rustsec-2026-0097-rand

Conversation

@avrabe

@avrabe avrabe commented May 11, 2026

Copy link
Copy Markdown
Contributor

Three-part fix for #102. Originally scoped to `rand`; expanded to clear two adjacent advisories that surfaced in CI once rand was no longer the loudest noise.

Changes (all Cargo.lock only; no Cargo.toml edits)

Bump Clears
`rand` 0.9.2 → 0.9.4 RUSTSEC-2026-0097 (0.9.x line)
`wasmtime` 43.0.1 → 43.0.2 RUSTSEC-2026-0114 (table-allocation panic)
`rustls-webpki` 0.103.12 → 0.103.13 RUSTSEC-2026-0104 (CRL parsing panic)

All three are within-minor patch bumps. Existing version constraints in `Cargo.toml` were already range-compatible.

CI-side change

The `cargo audit` step in `supply-chain.yml` had its own inline `--ignore` list that was out of sync with `deny.toml [advisories].ignore`. Added the matching `--ignore RUSTSEC-2026-0097` for the residual `rand 0.8.5` transitive that cannot be patched here (it's pulled by `regorus 0.2.8`, the OPA / Rego policy engine, which needs an upstream release bumping its rand pin to 0.9+).

`wsc` does not use custom rand loggers, so the unsoundness described by RUSTSEC-2026-0097 does not affect us — `deny.toml` already carries this justification.

Before / after

```
before: cargo audit → 4 vulnerabilities (rand x2, wasmtime, webpki)
after: cargo audit → 0 vulnerabilities (with the --ignore list applied)
```

Test plan

  • `cargo build --workspace --release` clean
  • `cargo audit` locally returns 0 vulnerabilities with the new ignore flag
  • CI's Cargo Audit job passes (currently failing on main with the same 4)

Fixes #102.

Three-part fix for #102 (originally scoped to rand; expanded to clear
two adjacent advisories that surfaced once rand was no longer the
loudest noise in cargo audit):

1. `cargo update -p rand@0.9.2` → 0.9.4. Clears RUSTSEC-2026-0097
   for the 0.9.x instance (pulled via uuid, quinn-proto, debugid).
2. `cargo update -p wasmtime@43.0.1` → 43.0.2. Clears RUSTSEC-2026-0114
   (panic on table allocation exceeding host address space).
3. `cargo update -p rustls-webpki` → 0.103.13. Clears RUSTSEC-2026-0104
   (reachable panic in CRL parsing).

All three are within-minor patch bumps; no Cargo.toml edits needed
because the existing version constraints were range-compatible.

The residual `rand 0.8.5` transitive (via regorus 0.2.8 policy engine)
cannot be patched without an upstream regorus release that bumps to
rand 0.9+. wsc does not use custom rand loggers, so the unsoundness
from RUSTSEC-2026-0097 does not affect us. deny.toml already had this
ignore; this commit adds the matching `--ignore RUSTSEC-2026-0097`
flag to the cargo-audit CI step so the two ignore lists stay aligned.

Effect:
  before: cargo audit → 4 vulnerabilities (rand x2, wasmtime, webpki)
  after:  cargo audit → 0 vulnerabilities (with --ignore list applied)

Fixes: #102

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@avrabe avrabe force-pushed the fix/rustsec-2026-0097-rand branch from f831034 to 7c22d1e Compare May 11, 2026 03:55
@avrabe avrabe changed the title fix: clear RUSTSEC-2026-0097 (rand 0.9.2 → 0.9.4) fix: clear 3 RUSTSEC advisories (rand + wasmtime + rustls-webpki) May 11, 2026
@codecov

codecov Bot commented May 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@avrabe avrabe merged commit 39db302 into main May 11, 2026
21 checks passed
@avrabe avrabe deleted the fix/rustsec-2026-0097-rand branch May 11, 2026 05:04
avrabe added a commit that referenced this pull request May 11, 2026
Patch release bundling four merged PRs:
  #107 — cargo-deny CI step hardening (closes #103)
  #108 — discharge lemma_le64_injective Verus admit (audit C-1 partial)
  #109 — repair fuzz_public_key target (audit follow-up from #98)
  #110 — clear 3 RUSTSEC advisories via dep bumps (fixes #102)

Companion work on 0.8.2+next:
  #111 — criterion benches for signature verification (#89)
  #112 — lift Kani wasm_module mask; document merkle + format

See CHANGELOG.md for the full release notes.

Trace: skip

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
avrabe added a commit that referenced this pull request May 16, 2026
The audit fix in PR #110 bumped rand 0.9.x to 0.9.4 but left the
residual rand 0.8.5 in place (pulled by regorus 0.2.8). That instance
was carried under an --ignore RUSTSEC-2026-0097 in supply-chain.yml
and deny.toml with a comment "tracked for upstream resolution; sigil
does not use custom rand loggers."

regorus 0.10 is now out and drops the rand 0.8.5 transitive from the
dep graph entirely. With it gone, the ignore entry in deny.toml and
the matching --ignore flag in supply-chain.yml are no longer needed —
cargo audit returns 0 vulnerabilities (excluding the unmaintained
rustls-pemfile, which stays in the ignore list pending upstream
deprecation).

The regorus dep is feature-gated behind `--features rego` and is
optional for power users of the Rego policy language; default builds
do not use it. cargo build (default), cargo build --features rego,
and cargo test --no-run --features rego all clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
avrabe added a commit that referenced this pull request May 16, 2026
The audit fix in PR #110 bumped rand 0.9.x to 0.9.4 but left the
residual rand 0.8.5 in place (pulled by regorus 0.2.8). That instance
was carried under an --ignore RUSTSEC-2026-0097 in supply-chain.yml
and deny.toml with a comment "tracked for upstream resolution; sigil
does not use custom rand loggers."

regorus 0.10 is now out and drops the rand 0.8.5 transitive from the
dep graph entirely. With it gone, the ignore entry in deny.toml and
the matching --ignore flag in supply-chain.yml are no longer needed —
cargo audit returns 0 vulnerabilities (excluding the unmaintained
rustls-pemfile, which stays in the ignore list pending upstream
deprecation).

The regorus dep is feature-gated behind `--features rego` and is
optional for power users of the Rego policy language; default builds
do not use it. cargo build (default), cargo build --features rego,
and cargo test --no-run --features rego all clean.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

RUSTSEC-2026-0097: rand 0.9.2 advisory in transitive deps (uuid, quinn-proto)

1 participant