ZENOTME opened a new pull request, #1050: URL: https://github.com/apache/iceberg-rust/pull/1050
## Which issue does this PR close? <!-- We generally require a GitHub issue to be filed for all bug fixes and enhancements and this helps us generate change logs for our releases. You can link an issue to this PR using the GitHub syntax. For example `Closes #123` indicates that this PR will close issue #123. --> - Closes #. ## What changes are included in this PR? <!-- Provide a summary of the modifications in this PR. List the main changes such as new features, bug fixes, refactoring, or any other updates. --> Seems the ring has been detected overflow problem. This PR upgrade it to fix. Info from cargo audit: ``` /home/runner/.cargo/bin/cargo audit --json --file ./Cargo.lock {"database":{"advisory-count":735,"last-commit":"4f5cae00f0c77b753750451b0ed2ea0cce97458b","last-updated":"2025-03-06T14:44:11-07:00"},"lockfile":{"dependency-count":644},"settings":{"target_arch":[],"target_os":[],"severity":null,"ignore":["RUSTSEC-2023-0071","RUSTSEC-2024-0388"],"informational_warnings":["unmaintained","unsound","notice"]},"vulnerabilities":{"found":true,"count":1,"list":[{"advisory":{"id":"RUSTSEC-2025-0009","package":"ring","title":"Some AES functions may panic when overflow checking is enabled.","description":"`ring::aead::quic::HeaderProtectionKey::new_mask()` may panic when overflow\nchecking is enabled. In the QUIC protocol, an attacker can induce this panic by\nsending a specially-crafted packet. Even unintentionally it is likely to occur\nin 1 out of every 2**32 packets sent and/or received.\n\nOn 64-bit targets operations using `ring::aead::{AES_128_GCM, AES_256_GCM}` may\npanic when overflow checking is enabled, when encrypting/decrypting approximate ly\n68,719,476,700 bytes (about 64 gigabytes) of data in a single chunk. Protocols\nlike TLS and SSH are not affected by this because those protocols break large\namounts of data into small chunks. Similarly, most applications will not\nattempt to encrypt/decrypt 64GB of data in one chunk.\n\nOverflow checking is not enabled in release mode by default, but\n`RUSTFLAGS=\"-C overflow-checks\"` or `overflow-checks = true` in the Cargo.toml\nprofile can override this. Overflow checking is usually enabled by default in\ndebug mode.","date":"2025-03-06","aliases":[],"related":[],"collection":"crates","categories":["denial-of-service"],"keywords":[],"cvss":null,"informational":null,"references":[],"source":null,"url":"https://github.com/briansmith/ring/blob/main/RELEASES.md#version-01712-2025-03-05","withdrawn":null,"license":"CC0-1.0"},"versions":{"patched":[">=0.17.12"],"unaffected":[]},"affected":null,"package":{"name":"ring","version":"0.17.9","source":"registry+https://github.com/rust -lang/crates.io-index","checksum":"e75ec5e92c4d8aede845126adc388046234541629e76029599ed35a003c7ed24","dependencies": ``` ## Are these changes tested? <!-- Specify what test covers (unit test, integration test, etc.). If tests are not included in your PR, please explain why (for example, are they covered by existing tests)? --> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For additional commands, e-mail: issues-h...@iceberg.apache.org