From 42a1e8aee94c1740ee4cb278ee3ca205432d3d6f Mon Sep 17 00:00:00 2001 From: ash Date: Thu, 7 May 2026 20:33:01 +0200 Subject: [PATCH] release(v0.2.2): rustls-webpki security patch + CI workflows Bumps rustls-webpki 0.103.8 -> 0.103.13 (transitive via axum-server), closing RUSTSEC-2026-0049/0098/0099/0104. Wire protocol unchanged. Also documents the GitHub Actions setup and the rustfmt pass added on this cycle. See CHANGELOG.md for details. --- CHANGELOG.md | 40 ++++++++++++++++++++++++++++++++++++++++ Cargo.lock | 2 +- Cargo.toml | 2 +- 3 files changed, 42 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eefd337..a1448eb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,46 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). Dates are the repository-local commit dates; entries are curated for user-visible impact rather than being a 1:1 mirror of `git log`. +## [2026-05-07] — v0.2.2 + +Security patch release. Wire protocol unchanged (still v1); no client-side +changes, no deploy-ordering constraints vs. v0.2.1. + +### Security (high) + +- **`rustls-webpki` 0.103.8 → 0.103.13.** Pulled in transitively via + `axum-server` → `tokio-rustls` → `rustls`; closes four advisories that + reach the TLS-terminating server path: + - **RUSTSEC-2026-0049** — CRLs were not considered authoritative by their + Distribution Point because of faulty matching logic. + - **RUSTSEC-2026-0098** — name constraints for URI names were incorrectly + accepted, so a constrained CA could issue certificates outside its + permitted scope. + - **RUSTSEC-2026-0099** — name constraints were accepted for certificates + asserting a wildcard name, with the same scope-bypass effect. + - **RUSTSEC-2026-0104** — reachable panic when parsing a malformed + Certificate Revocation List (DoS surface on TLS handshake paths that + consume CRLs). + +### CI / tooling + +- Added GitHub Actions workflows: Rust CI (fmt + clippy advisory + test), + cargo-audit (push, PR, weekly cron), SRI consistency gate (recomputes + asset hashes with CRLF-normalisation matching `extensions/generate-hashes.js`), + and a Docker build verification. +- One-time `cargo fmt --all` pass across the server crate; recorded in + `.git-blame-ignore-revs` so `git blame` skips it. + +### Known informational warnings (non-blocking) + +`cargo audit` still emits two warnings that do not fail the run and are +not exploitable in this codebase: + +- **RUSTSEC-2026-0097** — `rand 0.8.5` unsoundness when used with a + custom logger via `rand::rng()`. We do not register such a logger. +- **RUSTSEC-2025-0134** — `rustls-pemfile 2.2.0` is unmaintained, + pinned transitively by `axum-server`. Tracked upstream. + ## [2026-04-24] — v0.2.1 Security patch release. Wire protocol unchanged (still v1); no deploy-ordering diff --git a/Cargo.lock b/Cargo.lock index 3462fe4..c1ed419 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1141,7 +1141,7 @@ checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" [[package]] name = "pinchat" -version = "0.2.1" +version = "0.2.2" dependencies = [ "argon2", "axum", diff --git a/Cargo.toml b/Cargo.toml index bc95664..5dd4c72 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "pinchat" -version = "0.2.1" +version = "0.2.2" edition = "2024" [dependencies]