Skip to content

RUSTSEC-2026-0098/99 - 0.101.7 (agave v3.1/v4.0)#5

Merged
t-nelson merged 3 commits into
anza-xyz:anza-0.101.7from
t-nelson:rs-26-98+99-0.101.7
Apr 21, 2026
Merged

RUSTSEC-2026-0098/99 - 0.101.7 (agave v3.1/v4.0)#5
t-nelson merged 3 commits into
anza-xyz:anza-0.101.7from
t-nelson:rs-26-98+99-0.101.7

Conversation

@t-nelson

@t-nelson t-nelson commented Apr 17, 2026

Copy link
Copy Markdown

pick fixes for https://rustsec.org/advisories/RUSTSEC-2026-0098 and https://rustsec.org/advisories/RUSTSEC-2026-0099 onto our 0.101.7 based vendored branch

i couldn't get the test to go for d0024e6. too many new things 😢

@t-nelson t-nelson force-pushed the rs-26-98+99-0.101.7 branch 8 times, most recently from 386dc84 to 83601a8 Compare April 17, 2026 16:07
@bw-solana

bw-solana commented Apr 17, 2026

Copy link
Copy Markdown

Upstream fixes for reference:
rustls@318b3e6
rustls@1219622

@t-nelson t-nelson force-pushed the rs-26-98+99-0.101.7 branch from 83601a8 to 9c0f19c Compare April 17, 2026 22:35
@t-nelson t-nelson requested a review from Copilot April 17, 2026 22:42
Copilot AI reviewed Apr 17, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Backports upstream fixes related to RustSec advisories RUSTSEC-2026-0098 and RUSTSEC-2026-0099 into the vendored 0.101.7 branch, focusing on tightening X.509 name-constraints handling for DNS names (notably wildcard semantics).

Changes:

  • Makes name-constraint matching more explicit in verify.rs by avoiding a catch-all match arm for GeneralName variant pairs.
  • Extends DNS name constraint matching to distinguish subtree polarity (PermittedSubtrees vs ExcludedSubtrees) and adds regression tests for wildcard containment/intersection behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/subject_name/verify.rs Refactors name/constraint variant matching and exposes Subtrees for use by other subject-name code.
src/subject_name/dns_name.rs Introduces subtree-polarity into constraint role handling and adds wildcard-related tests.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/subject_name/verify.rs
Comment thread src/subject_name/dns_name.rs Outdated
@bw-solana

bw-solana commented Apr 19, 2026

Copy link
Copy Markdown

upstream change was merged 4ad751f

@t-nelson

t-nelson commented Apr 20, 2026
edited
Loading

Copy link
Copy Markdown
Author

upstream is quite diverged from 0.101.x

@t-nelson t-nelson force-pushed the rs-26-98+99-0.101.7 branch from dc0c741 to 3affda8 Compare April 21, 2026 00:56
@t-nelson t-nelson force-pushed the rs-26-98+99-0.101.7 branch from 3affda8 to c9937f6 Compare April 21, 2026 01:53
bw-solana
bw-solana approved these changes Apr 21, 2026
View reviewed changes

@bw-solana bw-solana left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@t-nelson t-nelson merged commit 37e66ef into anza-xyz:anza-0.101.7 Apr 21, 2026
20 checks passed
@t-nelson t-nelson deleted the rs-26-98+99-0.101.7 branch April 21, 2026 02:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@bw-solana bw-solana bw-solana approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@t-nelson @bw-solana