Update openssl to fix possible vulnerability

2025-02-11 13:03:11 -06:00
parent c9e62002ec
commit 2d5e4d89b0
2 changed files with 9 additions and 5 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1396,9 +1396,9 @@ checksum = "b410bbe7e14ab526a0e86877eb47c6996a2bd7746f027ba551028c925390e4e9"

 [[package]]
 name = "openssl"
-version = "0.10.66"
+version = "0.10.70"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9529f4786b70a3e8c61e11179af17ab6188ad8d0ded78c5529441ed39d4bd9c1"
+checksum = "61cfb4e166a8bb8c9b55c500bc2308550148ece889be90f609377e58140f42c6"
 dependencies = [
 "bitflags 2.6.0",
 "cfg-if",
@@ -1437,9 +1437,9 @@ dependencies = [

 [[package]]
 name = "openssl-sys"
-version = "0.9.103"
+version = "0.9.105"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f9e8deee91df40a943c71b917e5874b951d32a802526c85721ce3b776c929d6"
+checksum = "8b22d5b84be05a8d6947c7cb71f7c849aa0f112acd4bf51c2a7c1c988ac0a9dc"
 dependencies = [
 "cc",
 "libc",
--- a/stdlib/src/ssl.rs
+++ b/stdlib/src/ssl.rs
@@ -612,7 +612,11 @@ mod _ssl {
                    Ok(pbuf.to_vec())
                })?;
                ctx.set_alpn_select_callback(move |_, client| {
-                    ssl::select_next_proto(&server, client).ok_or(ssl::AlpnError::NOACK)
+                    let proto =
+                        ssl::select_next_proto(&server, client).ok_or(ssl::AlpnError::NOACK)?;
+                    let pos = memchr::memmem::find(client, proto)
+                        .expect("selected alpn proto should be present in client protos");
+                    Ok(&client[pos..proto.len()])
                });
                Ok(())
            }