Skip to content

chore: bump aws-lc-rs 1.15.3 → 1.16.2 and aws-lc-sys 0.36.0 → 0.39.1#373

Open
nicklasl wants to merge 1 commit intomainfrom
nicklasl/bump-aws-lc-sys
Open

chore: bump aws-lc-rs 1.15.3 → 1.16.2 and aws-lc-sys 0.36.0 → 0.39.1#373
nicklasl wants to merge 1 commit intomainfrom
nicklasl/bump-aws-lc-sys

Conversation

@nicklasl
Copy link
Copy Markdown
Member

@nicklasl nicklasl commented Apr 14, 2026
edited
Loading

Summary

  • Bump aws-lc-rs from 1.15.3 to 1.16.2 and aws-lc-sys from 0.36.0 to 0.39.1
  • Lockfile-only change, no Cargo.toml modifications needed
  • Only affects the native Rust provider (openfeature-provider/rust/)

Security

Resolves 5 high-severity Dependabot alerts on aws-lc-sys:

Alert Severity Advisory Fixed in
#29 HIGH GHSA-vw5v-4f2q-w9xf — PKCS7_verify Certificate Chain Validation Bypass 0.38.0
#30 HIGH GHSA-65p9-r9h6-22vj — Timing Side-Channel in AES-CCM Tag Verification 0.38.0
#31 HIGH GHSA-hfpc-8r3f-gw53 — PKCS7_verify Signature Validation Bypass 0.38.0
#39 HIGH GHSA-394x-vwmw-crm3 — X.509 Name Constraints Bypass via Wildcard/Unicode CN 0.39.0
#40 HIGH GHSA-9f94-5g5w-gf6r — CRL Distribution Point Scope Check Logic Error 0.39.0

Test plan

  • CI passes

🤖 Generated with Claude Code

@nicklasl @claude
chore: bump aws-lc-rs 1.15.3 → 1.16.2 and aws-lc-sys 0.36.0 → 0.39.1
d17f37f 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl nicklasl marked this pull request as ready for review April 14, 2026 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nicklasl