ZENOTME opened a new pull request, #1050:
URL: https://github.com/apache/iceberg-rust/pull/1050

   ## Which issue does this PR close?
   
   <!--
   We generally require a GitHub issue to be filed for all bug fixes and 
enhancements and this helps us generate change logs for our releases. You can 
link an issue to this PR using the GitHub syntax. For example `Closes #123` 
indicates that this PR will close issue #123.
   -->
   
   - Closes #.
   
   ## What changes are included in this PR?
   
   <!--
   Provide a summary of the modifications in this PR. List the main changes 
such as new features, bug fixes, refactoring, or any other updates.
   -->
   
   Seems the ring has been detected overflow problem. This PR upgrade it to fix.
   
   Info from cargo audit:
   
   ```
   /home/runner/.cargo/bin/cargo audit --json --file ./Cargo.lock
     
{"database":{"advisory-count":735,"last-commit":"4f5cae00f0c77b753750451b0ed2ea0cce97458b","last-updated":"2025-03-06T14:44:11-07:00"},"lockfile":{"dependency-count":644},"settings":{"target_arch":[],"target_os":[],"severity":null,"ignore":["RUSTSEC-2023-0071","RUSTSEC-2024-0388"],"informational_warnings":["unmaintained","unsound","notice"]},"vulnerabilities":{"found":true,"count":1,"list":[{"advisory":{"id":"RUSTSEC-2025-0009","package":"ring","title":"Some
 AES functions may panic when overflow checking is 
enabled.","description":"`ring::aead::quic::HeaderProtectionKey::new_mask()` 
may panic when overflow\nchecking is enabled. In the QUIC protocol, an attacker 
can induce this panic by\nsending a specially-crafted packet. Even 
unintentionally it is likely to occur\nin 1 out of every 2**32 packets sent 
and/or received.\n\nOn 64-bit targets operations using 
`ring::aead::{AES_128_GCM, AES_256_GCM}` may\npanic when overflow checking is 
enabled, when encrypting/decrypting approximate
 ly\n68,719,476,700 bytes (about 64 gigabytes) of data in a single chunk. 
Protocols\nlike TLS and SSH are not affected by this because those protocols 
break large\namounts of data into small chunks. Similarly, most applications 
will not\nattempt to encrypt/decrypt 64GB of data in one chunk.\n\nOverflow 
checking is not enabled in release mode by default, but\n`RUSTFLAGS=\"-C 
overflow-checks\"` or `overflow-checks = true` in the Cargo.toml\nprofile can 
override this. Overflow checking is usually enabled by default in\ndebug 
mode.","date":"2025-03-06","aliases":[],"related":[],"collection":"crates","categories":["denial-of-service"],"keywords":[],"cvss":null,"informational":null,"references":[],"source":null,"url":"https://github.com/briansmith/ring/blob/main/RELEASES.md#version-01712-2025-03-05","withdrawn":null,"license":"CC0-1.0"},"versions":{"patched":[";>=0.17.12"],"unaffected":[]},"affected":null,"package":{"name":"ring","version":"0.17.9","source":"registry+https://github.com/rust
 
-lang/crates.io-index","checksum":"e75ec5e92c4d8aede845126adc388046234541629e76029599ed35a003c7ed24","dependencies":
   ```
   
   ## Are these changes tested?
   
   <!--
   Specify what test covers (unit test, integration test, etc.).
   
   If tests are not included in your PR, please explain why (for example, are 
they covered by existing tests)?
   -->


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org

Reply via email to