Skip to content

build(deps): bump openssl from 0.10.73 to 0.10.78#591

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/cargo/openssl-0.10.78
Open

build(deps): bump openssl from 0.10.73 to 0.10.78#591
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/cargo/openssl-0.10.78

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 23, 2026

Bumps openssl from 0.10.73 to 0.10.78.

Release notes

Sourced from openssl's releases.

openssl-v0.10.78

What's Changed

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.77...openssl-v0.10.78

openssl-v0.10.77

What's Changed

New Contributors

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.76...openssl-v0.10.77

openssl-v0.10.76

What's Changed

... (truncated)

Commits
  • a6debf5 Release openssl v0.10.78 and openssl-sys v0.9.114 (#2609)
  • 09b425e Check derive output buffer length on OpenSSL 1.1.x (#2606)
  • 826c388 Error for short out in MdCtxRef::digest_final() (#2608)
  • 1d10902 Validate callback-returned lengths in PSK and cookie trampolines (#2607)
  • 5af6895 Reject oversized length returns from password callback trampoline (#2605)
  • 718d07f fix inverted bounds assertion in AES key unwrap (#2604)
  • 53cc69d Add support for LibreSSL 4.3.x (#2603)
  • 0b41e79 Fix dangling stack pointer in custom extension add callback (#2599)
  • cbdedf8 Avoid panic for overlong OIDs (#2598)
  • 1fc51ef openssl 4 support (#2591)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump openssl from 0.10.73 to 0.10.78
cfb7fd7 
Bumps [openssl](https://github.com/rust-openssl/rust-openssl) from 0.10.73 to 0.10.78.
- [Release notes](https://github.com/rust-openssl/rust-openssl/releases)
- [Commits](rust-openssl/rust-openssl@openssl-v0.10.73...openssl-v0.10.78)

---
updated-dependencies:
- dependency-name: openssl
  dependency-version: 0.10.78
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update Rust code labels Apr 23, 2026
@dependabot dependabot Bot mentioned this pull request Apr 23, 2026
Closed
@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented Apr 23, 2026

Greptile Summary

This PR bumps openssl from 0.10.73 to 0.10.78 (and openssl-sys from 0.9.109 to 0.9.114) across Cargo.lock and the Linux/Android aw-sync/Cargo.toml vendored dependency pin. The update ships several security hardening fixes including rejection of oversized callback-returned lengths, a dangling stack pointer fix in TLS extension callbacks, and an inverted bounds assertion fix in AES key unwrap.

Confidence Score: 5/5

Safe to merge — straightforward security dependency bump with no logic changes

Both changed files contain only version and checksum updates consistent with the upstream release. No application logic is modified and all security-relevant fixes in this release range are improvements.

No files require special attention

Important Files Changed

Filename Overview
Cargo.lock Updates openssl from 0.10.73 to 0.10.78 and openssl-sys from 0.9.109 to 0.9.114 with correct checksums
aw-sync/Cargo.toml Pins the linux-target vendored openssl dependency from 0.10.64 to 0.10.78, matching the lock file

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["aw-sync (Linux target)"] -->|"openssl 0.10.78 vendored"| B["openssl crate 0.10.78"]
    B --> C["openssl-sys 0.9.114"]
    C --> D["libssl / libcrypto (vendored)"]
Loading

Reviews (1): Last reviewed commit: "build(deps): bump openssl from 0.10.73 t..." | Re-trigger Greptile

@TimeToBuildBob
Copy link
Copy Markdown
Contributor

TimeToBuildBob commented Apr 23, 2026

Master is red because the scheduled Dependabot security update keeps failing while this PR is still open. The failing runs on 2026-04-23 (24811552283, 24811619259, 24811776424) all report pull_request_exists_for_latest_version for openssl 0.10.78, not a test/build regression.

I checked this PR: it is CLEAN, MERGEABLE, and all checks are passing. I tried to merge it directly, but TimeToBuildBob does not have MergePullRequest permission in this repo. A maintainer with merge rights should merge this PR (or enable automerge) to clear the repeated master CI failures.

@TimeToBuildBob TimeToBuildBob mentioned this pull request Apr 24, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update Rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TimeToBuildBob