chore(deps): update rust crate openssl to v0.10.72 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
openssl	dependencies	patch	0.10.68 → 0.10.72

GitHub Vulnerability Alerts

CVE-2025-24898

Impact

ssl::select_next_proto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the server buffer's lifetime is shorter than the client buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client.

Patches

openssl 0.10.70 fixes the signature of ssl::select_next_proto to properly constrain the output buffer's lifetime to that of both input buffers.

Workarounds

In standard usage of ssl::select_next_proto in the callback passed to SslContextBuilder::set_alpn_select_callback, code is only affected if the server buffer is constructed within the callback. For example:

Not vulnerable - the server buffer has a 'static lifetime:

builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(b"\x02h2", client_protos).ok_or_else(AlpnError::NOACK)
});

Not vulnerable - the server buffer outlives the handshake:

let server_protos = b"\x02h2".to_vec();
builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});

Vulnerable - the server buffer is freed when the callback returns:

builder.set_alpn_select_callback(|_, client_protos| {
    let server_protos = b"\x02h2".to_vec();
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});

References

https://github.com/sfackler/rust-openssl/pull/2360

GHSA-4fcv-w3qc-ppgg

When a Some(...) value was passed to the properties argument of either of these functions, a use-after-free would result.

In practice this would nearly always result in OpenSSL treating the properties as an empty string (due to CString::drop's behavior).

The maintainers thank quitbug for reporting this vulnerability to us.

---

Release Notes

rust-openssl/rust-openssl (openssl)

v0.10.72

Compare Source

What's Changed

• make set_rsa_oaep_md visible to boringssl config by @​frncs-rss in sfackler#2372
• Fix typo in openssl-sys build script by @​rushilmehra in sfackler#2375
• Unify the two BoringSSL codepaths a bit and simplify init by @​davidben in sfackler#2377
• pkey_ctx: Fix link to the corresponding OpenSSL function by @​Jakuje in sfackler#2378
• fix test on MSRV by @​alex in sfackler#2383
• Add support for AWS-LC to openssl and openssl-sys crates by @​skmcgrail in sfackler#1805
• Enable additional capabilities for AWS-LC by @​skmcgrail in sfackler#2386
• Use --experimental with bindgen-cli with aws-lc build by @​skmcgrail in sfackler#2389
• Fixed two UAFs and bumped versions for release by @​alex in sfackler#2390

New Contributors

• @​Jakuje made their first contribution in sfackler#2378
• @​skmcgrail made their first contribution in sfackler#1805

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.71...openssl-v0.10.72

v0.10.71

Compare Source

What's Changed

• Expose rc2 ciphers on symm::Cipher by @​alex in sfackler#2361
• add full Apache license file to openssl by @​frncs-rss in sfackler#2366
• Release openssl v0.10.71 and openssl-sys v0.9.106 by @​alex in sfackler#2369

New Contributors

• @​frncs-rss made their first contribution in sfackler#2366

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.70...openssl-v0.10.71

v0.10.70: openssl v0.10.70

Compare Source

What's Changed

• Attempt to fix CI by pinning to the Ubuntu 22.04 image by @​alex in sfackler#2357
• Remove EC_METHOD and EC_GROUP_new for LibreSSL 4.1 by @​botovq in sfackler#2356
• Test against 3.4.0 final release by @​alex in sfackler#2359
• Expose SslMethod::{dtls_client,dtls_server} by @​alex in sfackler#2358
• Fix lifetimes in ssl::select_next_proto by @​sfackler in sfackler#2360

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.69...openssl-v0.10.70

v0.10.69: openssl v0.10.69

Compare Source

What's Changed

• build(deps): Update openssl-macro to version 0.1.1 by @​caspermeijn in sfackler#2324
• Enable set_alpn_select_callback for BoringSSL by @​ViktoriiaKovalova in sfackler#2327
• Switch the test to use prime256v1 based key by @​dcermak in sfackler#2330
• Expose EVP_DigestSqueeze from Hasher by @​initsecret in sfackler#2275
• Expose SSL_CTX_load_verify_locations by @​sfackler in sfackler#2353

New Contributors

• @​caspermeijn made their first contribution in sfackler#2324
• @​ViktoriiaKovalova made their first contribution in sfackler#2327

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.68...openssl-v0.10.69

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.