Skip to content

Bump ring from 0.16.20 to 0.17.13#99

Open
dependabot[bot] wants to merge 2 commits into
masterfrom
dependabot/cargo/ring-0.17.13
Open

Bump ring from 0.16.20 to 0.17.13#99
dependabot[bot] wants to merge 2 commits into
masterfrom
dependabot/cargo/ring-0.17.13

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Aug 6, 2025

Copy link
Copy Markdown
Contributor

Bumps ring from 0.16.20 to 0.17.13.

Changelog

Sourced from ring's changelog.

Version 0.17.13 (2025-03-06)

Increased MSRV to 1.66.0 to avoid bugs in earlier versions so that we can safely use core::arch::x86_64::__cpuid and core::arch::x86::__cpuid from Rust in future releases.

AVX2-based VAES-CLMUL implementation. This will be a notable performance improvement for most newish x86-64 systems. This will likely raise the minimum binutils version supported for very old Linux distros.

Version 0.17.12 (2025-03-05)

Bug fix: briansmith/ring#2447 for denial of service (DoS).

  • Fixes a panic in ring::aead::quic::HeaderProtectionKey::new_mask() when integer overflow checking is enabled. In the QUIC protocol, an attacker can induce this panic by sending a specially-crafted packet. Even unintentionally it is likely to occur in 1 out of every 2**32 packets sent and/or received.

  • Fixes a panic on 64-bit targets in ring::aead::{AES_128_GCM, AES_256_GCM} when overflow checking is enabled, when encrypting/decrypting approximately 68,719,476,700 bytes (about 64 gigabytes) of data in a single chunk. Protocols like TLS and SSH are not affected by this because those protocols break large amounts of data into small chunks. Similarly, most applications will not attempt to encrypt/decrypt 64GB of data in one chunk.

Overflow checking is not enabled in release mode by default, but RUSTFLAGS="-C overflow-checks" or overflow-checks = true in the Cargo.toml profile can override this. Overflow checking is usually enabled by default in debug mode.

Commits

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Aug 6, 2025
@dependabot dependabot Bot force-pushed the dependabot/cargo/ring-0.17.13 branch from 42d7a69 to 60d6a61 Compare August 6, 2025 17:18
@brghena

brghena commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

@dependabot rebase

@dependabot @github

dependabot Bot commented on behalf of github Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

Looks like this PR is already up-to-date with master! If you'd still like to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

@brghena

brghena commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

@dependabot recreate

Bumps [ring](https://github.com/briansmith/ring) from 0.16.20 to 0.17.13.
- [Changelog](https://github.com/briansmith/ring/blob/main/RELEASES.md)
- [Commits](https://github.com/briansmith/ring/commits)

---
updated-dependencies:
- dependency-name: ring
  dependency-version: 0.17.13
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/cargo/ring-0.17.13 branch from 60d6a61 to bdea86e Compare June 24, 2026 21:42
Updated all the way to 0.17.14 which is the newest release. Updating to
at least 0.17.13 is needed for a dependabot security issue.

The public interface has changed somewhat so code had to change to
match.

@brghena brghena left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a relatively straightforward fix. Two "big" changes (the PublickKeyComponent creation and the SystemRandom addition) and a smaller one (public modulus len) that's in several places.

I did NOT test this code. I only ensured that it still compiles with cargo.

Comment thread src/convert.rs
let key_pair = ring::signature::EcdsaKeyPair::from_pkcs8(
&ring::signature::ECDSA_P256_SHA256_FIXED_SIGNING,
&private_key_contents,
&rand::SystemRandom::new(),

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to be the right thing to do since it was what was previously removed from inside of the function. briansmith/ring@2accae1

Comment thread src/convert.rs
};

if key_pair.public_modulus_len() != 512 {
let public_key: ring::signature::RsaPublicKeyComponents<Vec<u8>> = key_pair.public().into();

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This got both harder and simpler. Getting the modulus and exponent from a public key is no longer directly supported, however a public key can just be changed into a PublicKeyComponents which is what we're creating here anyways.

@brghena

brghena commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

@bradjc I got annoyed at Dependabot for not doing this update for us, so I did it myself. I don't know how to test it to make sure I didn't break something in elf2tab though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant