Bump rustls-webpki from 0.103.3 to 0.103.12

[dependabot]

Bumps rustls-webpki from 0.103.3 to 0.103.12.

Release notes

Sourced from rustls-webpki's releases.

0.103.12

This release fixes two bugs in name constraint enforcement:

• GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.
• GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

• Prepare 0.103.12 by @​djc in rustls/webpki#470

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

• Backport parsing trust anchors with unknown critical extensions to 0.103 by @​djc in rustls/webpki#466

0.103.10

Correct selection of candidate CRLs by Distribution Point and Issuing Distribution Point. If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored.

The impact was that correctly provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates.

This vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)

More likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.

This vulnerability is identified by GHSA-pwjx-qhcg-rvj4. Thank you to @​1seal for the report.

What's Changed

• Freshen up rel-0.103 by @​ctz in rustls/webpki#455
• Prepare 0.103.10 by @​ctz in rustls/webpki#458

Full Changelog: rustls/webpki@v/0.103.9...v/0.103.10

0.103.9

What's Changed

• [backport] ci: avoid denying warnings on nightly toolchains by @​alex in rustls/webpki#437
• Backport lifetime change and bump version for release by @​alex in rustls/webpki#436

0.103.8

What's Changed

• backport valid_uri_names (#404) to rel-0.103 by @​alex in rustls/webpki#408

... (truncated)

Commits

• 27131d4 Bump version to 0.103.12
• 6ecb876 Clean up stuttery enum variant names
• 318b3e6 Ignore wildcard labels when matching name constraints
• 1219622 Rewrite constraint matching to avoid permissive catch-all branch
• 57bc62c Bump version to 0.103.11
• d0fa01e Allow parsing trust anchors with unknown criticial extensions
• 348ce01 Prepare 0.103.10
• dbde592 crl: fix authoritative_for() support for multiple URIs
• 9c4838e avoid std::prelude imports
• 009ef66 fix rust 1.94 ambiguous panic macro warnings
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Recently published: cargo rustls-webpki published 16 hours ago Location: Package overview From: ? → cargo/reqwest@0.12.19 → cargo/rustls-webpki@0.103.12 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/rustls-webpki@0.103.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[github-actions]

Rust Benchmark

Details

Benchmark suite	Current: 4287069	Previous: 7bbf8c1	Ratio
rule-match-browserlike/brave-list	2016855186 ns/iter (± 17724067)	2049733303 ns/iter (± 11109645)	0.98
rule-match-first-request/brave-list	1123227 ns/iter (± 11729)	1156593 ns/iter (± 4562)	0.97
blocker_new/brave-list	146745814 ns/iter (± 785016)	157534261 ns/iter (± 1480704)	0.93
blocker_new/brave-list-deserialize	29239177 ns/iter (± 1249439)	29007836 ns/iter (± 65396)	1.01
memory-usage/brave-list-initial	10633093 ns/iter (± 3)	10633093 ns/iter (± 3)	1
memory-usage/brave-list-initial/max	61950746 ns/iter (± 3)	61950746 ns/iter (± 3)	1
memory-usage/brave-list-initial/alloc-count	1030644 ns/iter (± 3)	1030644 ns/iter (± 3)	1
memory-usage/brave-list-1000-requests	2316776 ns/iter (± 3)	2316792 ns/iter (± 3)	1.00
memory-usage/brave-list-1000-requests/alloc-count	70165 ns/iter (± 3)	70181 ns/iter (± 3)	1.00
url_cosmetic_resources/brave-list	190922 ns/iter (± 866)	202450 ns/iter (± 813)	0.94
cosmetic-class-id-match/brave-list	3450226 ns/iter (± 942669)	3317147 ns/iter (± 897261)	1.04

This comment was automatically generated by workflow using github-action-benchmark.

[dependabot]

Superseded by #623.