Can't update rustls for OTEL #1503

ac000 · 2024-12-04T22:16:46Z

For some reason we can't update the version of rustls to fix a vulnerability.

dependabot tried and failed.

Trying myself (with version 0.23.19) I get the following error

cargo build --release --manifest-path src/otel/Cargo.toml
    Updating crates.io index
error: failed to select a version for `rustls-pki-types`.
    ... required by package `rustls v0.23.19`
    ... which satisfies dependency `rustls = "^0.23.4"` (locked to 0.23.19) of package `reqwest v0.12.8`
    ... which satisfies dependency `reqwest = "^0.12.7"` (locked to 0.12.8) of package `otel v0.1.0 (/home/andrew/src/unit/src/otel)`
versions that meet the requirements `^1.10` are: 1.10.0

all possible versions conflict with previously selected packages.

  previously selected package `rustls-pki-types v1.9.0`
    ... which satisfies dependency `rustls-pki-types = "^1.1.0"` (locked to 1.9.0) of package `reqwest v0.12.8`
    ... which satisfies dependency `reqwest = "^0.12.7"` (locked to 0.12.8) of package `otel v0.1.0 (/home/andrew/src/unit/src/otel)`

failed to select a version for `rustls-pki-types` which could resolve this conflict
make: *** [build/Makefile:2168: src/otel/target/release/libotel.a] Error 101

@avahahn Any idea?

Cc: @callahad

The text was updated successfully, but these errors were encountered:

ac000 · 2024-12-05T12:58:17Z

As @callahad suggested, bumping the version of rustls-pki-types fixes things

diff --git ./src/otel/Cargo.lock ./src/otel/Cargo.lock
index c1a0e439..464bf44a 100644
--- ./src/otel/Cargo.lock
+++ ./src/otel/Cargo.lock
@@ -1387,9 +1387,9 @@ dependencies = [
 
 [[package]]
 name = "rustls"
-version = "0.23.13"
+version = "0.23.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f2dabaac7466917e566adb06783a81ca48944c6898a1b08b9374106dd671f4c8"
+checksum = "934b404430bb06b3fae2cba809eb45a1ab1aecd64491213d7c3301b88393f8d1"
 dependencies = [
  "once_cell",
  "ring",
@@ -1423,9 +1423,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-pki-types"
-version = "1.9.0"
+version = "1.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0e696e35370c65c9c541198af4543ccd580cf17fc25d8e05c5a242b202488c55"
+checksum = "16f1201b3c9a7ee8039bcadc17b7e605e2945b27eee7631788c1bd2b0643674b"
 
 [[package]]
 name = "rustls-webpki"

- rustls to fix a 'panic in `Acceptor::accept`' That also requires an update to rustls-pki-types - hashbrown It's not clear that this is actually a problem for us and we have two different versions in Cargo.lock, one which isn't vulnerable, but just bump the other version anyway, if you try and remove it altogether it gets added back... Link: <https://rustsec.org/advisories/RUSTSEC-2024-0399.html> Link: <https://github.com/nginx/unit/security/dependabot/11> Closes: <nginx#1503> Signed-off-by: Andrew Clayton <[email protected]>

Run 'cargo update' to get the latest version of the required crates in preparation for the 1.34.0 release. The rustls update fixes a panic in `rustls::server::Acceptor::accept()`, but Unit does not use this code path and was not affected. Link: <https://rustsec.org/advisories/RUSTSEC-2024-0399.html> Link: <https://github.com/nginx/unit/security/dependabot/11> Closes: <nginx#1503> Signed-off-by: Andrew Clayton <[email protected]>

ac000 added this to the 1.34 milestone Dec 4, 2024

ac000 assigned avahahn Dec 4, 2024

ac000 unassigned avahahn Dec 5, 2024

ac000 linked a pull request Dec 5, 2024 that will close this issue

otel: Update some rust crates #1504

Merged

ac000 closed this as completed in #1504 Dec 18, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Can't update rustls for OTEL #1503

Can't update rustls for OTEL #1503

ac000 commented Dec 4, 2024

ac000 commented Dec 5, 2024

Can't update rustls for OTEL #1503

Can't update rustls for OTEL #1503

Comments

ac000 commented Dec 4, 2024

ac000 commented Dec 5, 2024