Skip to content

chore(deps): bump rustls-webpki from 0.103.8 to 0.103.12 in /pkg/data_cache#3444

Merged
google-oss-prow[bot] merged 1 commit intomasterfrom
dependabot/cargo/pkg/data_cache/rustls-webpki-0.103.12
Apr 22, 2026
Merged

chore(deps): bump rustls-webpki from 0.103.8 to 0.103.12 in /pkg/data_cache#3444
google-oss-prow[bot] merged 1 commit intomasterfrom
dependabot/cargo/pkg/data_cache/rustls-webpki-0.103.12

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 21, 2026

Bumps rustls-webpki from 0.103.8 to 0.103.12.

Release notes

Sourced from rustls-webpki's releases.

0.103.12

This release fixes two bugs in name constraint enforcement:

  • GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.
  • GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

0.103.10

Correct selection of candidate CRLs by Distribution Point and Issuing Distribution Point. If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored.

The impact was that correctly provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates.

This vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)

More likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.

This vulnerability is identified by GHSA-pwjx-qhcg-rvj4. Thank you to @​1seal for the report.

What's Changed

Full Changelog: rustls/webpki@v/0.103.9...v/0.103.10

0.103.9

What's Changed

Commits
  • 27131d4 Bump version to 0.103.12
  • 6ecb876 Clean up stuttery enum variant names
  • 318b3e6 Ignore wildcard labels when matching name constraints
  • 1219622 Rewrite constraint matching to avoid permissive catch-all branch
  • 57bc62c Bump version to 0.103.11
  • d0fa01e Allow parsing trust anchors with unknown criticial extensions
  • 348ce01 Prepare 0.103.10
  • dbde592 crl: fix authoritative_for() support for multiple URIs
  • 9c4838e avoid std::prelude imports
  • 009ef66 fix rust 1.94 ambiguous panic macro warnings
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump rustls-webpki in /pkg/data_cache
f7160ae 
Bumps [rustls-webpki](https://github.com/rustls/webpki) from 0.103.8 to 0.103.12.
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](rustls/webpki@v/0.103.8...v/0.103.12)

---
updated-dependencies:
- dependency-name: rustls-webpki
  dependency-version: 0.103.12
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Apr 21, 2026
Copilot AI review requested due to automatic review settings April 21, 2026 02:14
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Apr 21, 2026
@dependabot dependabot Bot review requested due to automatic review settings April 21, 2026 02:14
@dependabot dependabot Bot mentioned this pull request Apr 21, 2026
Closed
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 21, 2026

🎉 Welcome to the Kubeflow Trainer! 🎉

Thanks for opening your first PR! We're happy to have you as part of our community 🚀

Here's what happens next:

  • If you haven't already, please check out our Contributing Guide for repo-specific guidelines and the Kubeflow Contributor Guide for general community standards.
  • Our team will review your PR soon! cc @kubeflow/kubeflow-trainer-team

Join the community:

Feel free to ask questions in the comments if you need any help or clarification!
Thanks again for contributing to Kubeflow! 🙏

@coveralls
Copy link
Copy Markdown

coveralls commented Apr 21, 2026

Coverage Report for CI Build 24700506124

Coverage remained the same at 58.057%

Details

  • Coverage remained the same as the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

Coverage Stats

Coverage Status
Relevant Lines: 3500
Covered Lines: 2032
Line Coverage: 58.06%
Coverage Strength: 0.67 hits per line
💛 - Coveralls

tenzen-y
tenzen-y reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@tenzen-y tenzen-y left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@google-oss-prow google-oss-prow Bot added the lgtm label Apr 22, 2026
@google-oss-prow
Copy link
Copy Markdown

google-oss-prow Bot commented Apr 22, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tenzen-y

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow Bot merged commit a149bb7 into master Apr 22, 2026
42 of 45 checks passed
@google-oss-prow google-oss-prow Bot deleted the dependabot/cargo/pkg/data_cache/rustls-webpki-0.103.12 branch April 22, 2026 17:28
@google-oss-prow google-oss-prow Bot added this to the v2.3 milestone Apr 22, 2026
Goku2099 pushed a commit to Goku2099/trainer that referenced this pull request Apr 25, 2026
@dependabot @Goku2099
chore(deps): bump rustls-webpki from 0.103.8 to 0.103.12 in /pkg/data…
39e31fc 
…_cache (kubeflow#3444)

Bumps [rustls-webpki](https://github.com/rustls/webpki) from 0.103.8 to 0.103.12.
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](rustls/webpki@v/0.103.8...v/0.103.12)

---
updated-dependencies:
- dependency-name: rustls-webpki
  dependency-version: 0.103.12
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Sameer_yadav <159073326+Goku2099@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tenzen-y tenzen-y tenzen-y left review comments

@jinchihe jinchihe Awaiting requested review from jinchihe

@kuizhiqing kuizhiqing Awaiting requested review from kuizhiqing

Assignees

@tenzen-y tenzen-y

Labels

approved dependencies Pull requests that update a dependency file lgtm rust Pull requests that update rust code size/XS

Projects

None yet

Milestone

v2.3

Development

Successfully merging this pull request may close these issues.

2 participants

@coveralls @tenzen-y