GHSA-XV59-967R-8726 rust-openssl vulnerable to heap buffer overflow when encrypting with AES key-wrap-with-padding

CipherCtxRef::cipherupdate, CipherCtxRef::cipherupdatevec, and symm::Crypter::update incorrectly sized output buffers when used with AES key-wrap-with-padding ciphers EVPaes128,192,256wrappad. For a non-multiple-of-8 input, OpenSSL writes up to 7 bytes past the end of the caller's buffer or Vec,...

bootc security update

An update is available for bootc. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Bootable container system Security Fixes: rust-openssl: rust openssl...

EUVD-2025-9903

Malicious code in bioql PyPI...

Fedora 42 : rust-openssl / rust-openssl-sys (2025-c263d3ebd9)

The remote Fedora 42 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2025-c263d3ebd9 advisory. - Update the openssl crate to version 0.10.72. - Update the openssl-sys crate to version 0.9.107. This update addresses CVE-2025-3416 / RUSTSEC-2025-0022 a...

Moderate: rust-bootupd security update

Bootloader updater Security Fixes: rust-openssl: rust openssl ssl::selectnextproto use after free CVE-2025-24898 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section...

ALSA-2025:7147 Moderate: rpm-ostree security update

The rpm-ostree tool binds together the RPM packaging model with the OSTree model of bootable file system trees. It provides commands that can be used both on client systems and on server-side composes. The rpm-ostree-client package provides commands for client systems to perform upgrades and...

GHSA-4FCV-W3QC-PPGG rust-openssl Use-After-Free in `Md::fetch` and `Cipher::fetch`

When a Some... value was passed to the properties argument of either of these functions, a use-after-free would result. In practice this would nearly always result in OpenSSL treating the properties as an empty string due to CString::drop's behavior. The maintainers thank quitbug for reporting th...

[SECURITY] [DLA 4049-1] rust-openssl security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-4049-1 [email protected] https://www.debian.org/lts/security/ Andrej Shadura February 11, 2025 https://wiki.debian.org/LTS -...

PT-2025-5595

Name of the Vulnerable Software and Affected Versions rust-openssl versions prior to 0.10.70 Description The issue arises when ssl::select next proto returns a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. If the server buffer's lifetime is...